Hi,
I'm having trouble getting a cluster of Fedora 16 installs (sssd-client-1.8.4-13.fc16.x86_64) to see secondary groups from my Open Directory server (rfc2307). I have a RHEL6 box (sssd-client-1.8.0-32.el6.x86_64) with an identical sssd.conf that does work. Is this a known issue or is there something wonky with my Fedora setup?
[fedora]# id ldapuser uid=9000(ldapuser) gid=5079(ps) groups=5079(ps)
[rhel63]# id ldapuser uid=9000(ldapuser) gid=5079(ps) groups=5079(ps),1000(cmcd),2004(sch-guest),1031(bc),1027(web)
[fedora]# ldapsearch -LLL -x -b cn=groups,dc=ldap,dc=in,dc=hwlab cn=sch-guest | grep ldapuser memberUid: ldapuser
my domain config in sssd.conf:
[domain/default] ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=ldap,dc=in,dc=hwlab krb5_realm = LDAP.IN.HWLAB krb5_server = ldap.in.hwlab,quasimoto.in.hwlab id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://ldap.in.hwlab/,ldap://quasimoto.in.hwlab/ krb5_kpasswd = ldap.in.hwlab ldap_tls_cacertdir = /etc/openldap/cacerts
Thanks for any insight, Ian
On Mon, 2012-08-13 at 12:47 -0400, Ian Levesque wrote:
Hi,
I'm having trouble getting a cluster of Fedora 16 installs (sssd-client-1.8.4-13.fc16.x86_64) to see secondary groups from my Open Directory server (rfc2307). I have a RHEL6 box (sssd-client-1.8.0-32.el6.x86_64) with an identical sssd.conf that does work. Is this a known issue or is there something wonky with my Fedora setup?
Take a look at https://bugzilla.redhat.com/show_bug.cgi?id=835612
The glibc folks added a non-backwards-compatible change in a stable update...
You want to add initgroups: files [SUCCESS=continue] sss
to /etc/nsswitch.conf and all should work again.
On Aug 13, 2012, at 12:55 PM, Stephen Gallagher wrote:
On Mon, 2012-08-13 at 12:47 -0400, Ian Levesque wrote:
Hi,
I'm having trouble getting a cluster of Fedora 16 installs (sssd-client-1.8.4-13.fc16.x86_64) to see secondary groups from my Open Directory server (rfc2307). I have a RHEL6 box (sssd-client-1.8.0-32.el6.x86_64) with an identical sssd.conf that does work. Is this a known issue or is there something wonky with my Fedora setup?
Take a look at https://bugzilla.redhat.com/show_bug.cgi?id=835612
The glibc folks added a non-backwards-compatible change in a stable update...
You want to add initgroups: files [SUCCESS=continue] sss
to /etc/nsswitch.conf and all should work again.
Yikes... thanks for the heads-up, Stephen. It appears that commenting out the initgroups declaration from nsswitch does the trick, as well. Do you know of any reason to include it at all? I can't find documentation for "initgroups" anywhere.
Cheers, Ian
On Mon, Aug 13, 2012 at 01:13:17PM -0400, Ian Levesque wrote:
On Aug 13, 2012, at 12:55 PM, Stephen Gallagher wrote:
On Mon, 2012-08-13 at 12:47 -0400, Ian Levesque wrote:
Hi,
I'm having trouble getting a cluster of Fedora 16 installs (sssd-client-1.8.4-13.fc16.x86_64) to see secondary groups from my Open Directory server (rfc2307). I have a RHEL6 box (sssd-client-1.8.0-32.el6.x86_64) with an identical sssd.conf that does work. Is this a known issue or is there something wonky with my Fedora setup?
Take a look at https://bugzilla.redhat.com/show_bug.cgi?id=835612
The glibc folks added a non-backwards-compatible change in a stable update...
You want to add initgroups: files [SUCCESS=continue] sss
to /etc/nsswitch.conf and all should work again.
Yikes... thanks for the heads-up, Stephen. It appears that commenting out the initgroups declaration from nsswitch does the trick, as well. Do you know of any reason to include it at all? I can't find documentation for "initgroups" anywhere.
Cheers, Ian
It's an interface towards initgroups(3) or getgrouplist(3).
I'm not sure if the glibc folks did ever give a meaningful explanation on the change. I can't even think of a good reason why initgroups should differ from groups.
Either adding sss to the initgroups list or commenting out the initgroups line completely is fine. Authconfig comments the line out, for what it's worth.
On Mon, 2012-08-13 at 20:01 +0200, Jakub Hrozek wrote:
It's an interface towards initgroups(3) or getgrouplist(3).
I'm not sure if the glibc folks did ever give a meaningful explanation on the change. I can't even think of a good reason why initgroups should differ from groups.
Their answer is that they want initgroups() lookups to stop by default on the first matching provider so as not to waste time looking elsewhere. Of course, this is completely broken if you want to mix local and remote groups for a user. For this situation, they tell you to use the line I copied above. Commenting out the option does something similar under the hood.
Either adding sss to the initgroups list or commenting out the initgroups line completely is fine. Authconfig comments the line out, for what it's worth.
sssd-users@lists.fedorahosted.org