On Thu, 2015-01-08 at 21:19 -0500, Dmitri Pal wrote:
On 01/08/2015 08:33 PM, Brendan Kearney wrote:
> i am so close yet so far...
>
> i have an older env with ldap, kerberos, sasl and sssd using rfc2307.
Are you talking about server or client?
Is your server IPA or something else?
If your server is IPA then if you want to use 2307bis you point clients
to the main user tree.
If you want clients that do not understand 2307bis (for example solaris)
you need to enable compat plugin and point clients to cn=compat.
If SSSD is configured to use 2307bis but server is 2307 or vice verse
SSSD will have problems fetching groups.
> i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis.
> i am finding that when i ssh into one of the new boxes and run "id", i
> am only getting back:
>
> uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
>
> the info is all the rfc2307/posix info, and not any of the rfc2307bis
> info. i am a member of several other groups that are groupOfNames
> objects, but the "id" command is not returning them.
>
> is there a client side config that i am missing, in order to get the
> group memberships of groupOfNames groups? i imagine i could add the
> posixAccount object class to those groupOfNames groups, but wanted to
> make sure that was the only/right way to do things before i did it.
man sssd-ldap
>
> i am not clueless, just have one clue less...
>
> brendan
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
my new environment is 2 servers and a client. the servers are fedora
20, with ldap, kerberos, sasl and sssd, but not IPA. the client is
fedora 20 with sssd. in both/all cases, they are rfc2307bis.
i have read the sssd man pages, but i am not sure what i am missing.
the client sssd.conf:
[sssd]
domains =
bpk2.com
services = nss, pam, sudo
config_file_version = 2
#debug_level = 4
[nss]
filter_groups = root
filter_users = root
[pam]
[sudo]
[
domain/bpk2.com]
#debug_level = 4
id_provider = ldap
ldap_schema = rfc2307bis
ldap_uri =
_srv_,ldap://ldap1.bpk2.com,ldap://ldap2.bpk2.com
ldap_search_base = dc=bpk2,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid =
host/nas.bpk2.com
ldap_sasl_realm =
BPK2.COM
auth_provider = krb5
krb5_server =
_srv_,kerberos.bpk2.com
krb5_realm =
BPK2.COM
krb5_renewable_lifetime = 7d
krb5_lifetime = 24h
krb5_renew_interval = 1h
krb5_store_password_if_offline = true
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDO Groups,ou=Roles,dc=bpk2,dc=com
#ldap_sudo_full_refresh_interval=86400
#ldap_sudo_smart_refresh_interval=3600
#min_id = 1000
#max_id = 2000
enumerate = false