On Thu, Nov 17, 2016 at 02:20:04AM -0000, gstaniak(a)gmail.com wrote:
Hi,
I've been trying to set up a Fedora 24 Linux notebook to integrate with company AD
using realmd+sssd. The sssd.conf is pretty simple:
[pam]
offline_credentials_expiration = 31
debug_level = 6
[sssd]
domains = the.domain
config_file_version = 2
services = nss, pam
debug_level = 6
[domain/the.domain]
ad_domain = the.domain
krb5_realm = THE.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ldap_schema = rfc2307bis
#ldap_group_member = uniqueMember
debug_level = 6
enumerate = true
I joined the realm/AD without any problems, but when I log in as an AD user, running
'id' and 'groups' lists just one (main) group for my user. However, when I
run the command 'id <username>' and 'groups <username>' from
the root account OR a local user account, all groups that the <username> belongs to
are listed. I suspected local group membership, so I added the AD user to the same groups
as the local user, but that didn't improve the situation.
After I tried to add the "ldap_group_option" (commented out above), purged the
cache and restart sssd, I lost the group listings even from the root and local account:
they all now list just the highest level "domain users" group for the user in
'id' and 'groups' output, and instead of a long list of names as the
result of 'getent group domain\ users' all I get now is:
# getent group domain\ users
domain
users:*:1763200513:$d3f33f9-6c0c33b5b410283,$bfb716e9-67211aebe1652897,$f45c71f7-5ed7e3c5d1020d99
What could be the reason for this? How can I debug the issue?
I recommend against enumerate=true. It would surely kill performance with
a large forest and there's really no reason to enable that on a laptop.
But I suspect the root cause is the schema. Can you uncomment
"ldap_schema=rfc2307" (which overrides the earlier "ldap_schema=ad",
which is btw the default for AD provider, so you can just remove both)
and try again?
If you still can't see the supplementary groups, check out the sssd
debug logs:
https://fedorahosted.org/sssd/wiki/Troubleshooting