Thank for your reply,
Yes, it's working :)
Answer is below,
On Tue, Feb 05, 2019 at 08:52:27AM +0000, Martial CHAVIGNY wrote:
Hi everyone,
In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL
7.6
SSSD is configured to request on mch.dev domain. trusted subdomain
sub.mch.dev exist (Win2k16)
On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and
'allowed_ssh'. These groups are placed also in mch.dev domain.
On sub.mch.dev, I have user 'user2' only. 'user2' is place in
'G_TEST' and 'allowed_ssh'.
When get id user from mch.dev domain, by `id mch\user1` I get this
result : `uid=83701115(user1) gid=513(sssdgrp)
groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id
sub\user2`, in same group (universal - child trust), I get
`uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)`
without group name
getent work fine : `getent group 'g_test'` result :
`g_test:*:83701117:user2,user1,mch`
Why I have not groupname for user2 ?
This looks like an error:
(Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_search_object_attr] (0x0400): No
such entry.
(Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_get_real_name] (0x0040): Cannot find
user [user2(a)mch.dev] in cache (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]]
[sdap_get_initgr_user] (0x0040): Cannot canonicalize username (Mon Feb 4 23:03:11 2019)
[sssd[be[MCH.DEV]]] [sdap_id_op_done] (0x4000): releasing operation connection
I don't know why is sysdb_get_real_name() looking for the entry in the mch.dev domain
and not the subdomain.
Can you remove the full_name_format option from the [sssd] section instead, if you need to
use short names, set use_fully_qualified_names=false. Since recent versions you can set
this option also for subdomains, but I would suggest to first test with a very vanilla
configuration.
btw was there a reason to unset tokengroups?
--> In production env. (SSSD 1.15.2 - release 50.el7_4.11), when this option is not set
(True by default for AD), No group name is returned.
Regard of :
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
> sssd.conf :
>
> [sssd]
> domains = mch.dev
> config_file_version = 2
> services = nss, pam
> default_domain_suffix = mch.dev
> full_name_format = %1$s
>
> [nss]
> filter_users = root
> reconnection_retries = 3
> entry_cache_nowait_percentage = 75
>
> [pam]
> pam_pwd_expiration_warning = 21
> pam_account_expired_message = Account/password expired, please use selfservice
portal to change your password and logon again.
>
> [domain/MCH.DEV]
> debug_level = 9
> id_provider = ad
> access_provider = ad
> auth_provider = ad
> ad_domain = mch.dev
> krb5_realm = MCH.DEV
> krb5_store_password_if_offline = True
> cache_credentials = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = True
> override_gid = 513
> fallback_homedir = /home/%u@%d
> default_shell = /bin/bash
> dyndns_update = false
> ldap_idmap_range_min = 100000
> ldap_use_tokengroups = False
>
> krb5.conf
> includedir /etc/krb5.conf.d/
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid} default_realm =
> MCH.DEV
>
> [realms]
> MCH.DEV = {
> }
>
> [domain_realm]
> mch.dev = MCH.DEV
> .mch.dev = MCH.DEV
>
> Logs available here:
https://pastebin.com/Ntt62Cxt
>
> Thanks in advance
>
> @Jakub Hrozek jhrozek@redhat.com<mailto:jhrozek@redhat.com>
> With the configuration above, Inverse of your problem : I can't view and use
group for sub domain user, but I can login with SSH like this : 'ssh -l
'sub\user2' 172.31.8.88'