On (06/05/15 01:12), James Ralston wrote:
Hi,
I think this problem may be part (or related to) the "FreeIPA/SSSD
LDAP cross-forest trust slow queries" issue, but I'm not sure.
We've been testing sssd on our RHEL6 and RHEL7 hosts, using the latest
available packages. We have a fairly simple sssd configuration. We
use the "ad" provider with LDAP id mapping:
[sssd]
config_file_version = 2
debug_level = 0x0070
domains =
example.org
services = nss, pam
[nss]
debug_level = 0x0070
default_shell = /bin/bash
fallback_homedir = /home/%u
[pam]
debug_level = 0x0070
[
domain/example.org]
access_provider = ad
auth_provider = ad
cache_credentials = true
chpass_provider = ad
debug_level = 0x0010
dyndns_update = false
enumerate = true
I Hope it was just for testing purposes. We do not
recommend to enable
enumeration.
id_provider = ad
krb5_realm =
EXAMPLE.ORG
ldap_id_mapping = true
You can remove this line, id-mapping is enabled by
default for id_provider ad
ldap_sasl_mech = GSSAPI
ldap_schema = AD
Previous 2 lines are efault for id_provider ad as well
offline_failed_login_attempts = 3
This line shoudl be
in [pam] section,
it will have effect only if "cache_credentials" is enabled in domain
section.
I would be curious where did you inspire in sssd.conf.
So we can improve it.
Although we have about 1200 groups in Active Directory, only about
900
of them show up in the output of "getent -s sss group". For the
remaining ones, attempting a lookup (e.g., with getent) returns no
entry, and we see these lines in the sssd_example.org.log file:
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[DC=example,DC=org]
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(name=my-group)(objectClass=group)(name=*))][DC=example,DC=org].
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_parse_entry]
(0x1000): OriginalDN: [CN=my-group,OU=Distribution Groups,OU=Microsoft
Exchange,DC=example,DC=org].
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x8.
^^^^^^^^^
here
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_hash_group] (0x0400): Filtering AD group.
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_hash_group] (0x4000): The group's gid was zero
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_hash_group] (0x2000): Marking group as non-posix
and setting GID=0!
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_hash_entry] (0x4000): Inserting
[CN=my-group,OU=Distribution Groups,OU=Microsoft
Exchange,DC=example,DC=org] into hash table [groups]
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_nested_group_process_send] (0x2000): About to process group
[CN=my-group,OU=Distribution Groups,OU=Microsoft
Exchange,DC=example,DC=org]
[user lookups omitted]
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_get_primary_name] (0x0400): Processing object my-group
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x0400): Processing group my-group
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x4000): AD group [my-group] has type flags 0x8.
^^^^^^^^^
and here is a type of group [1]
Distributions grups are filtered by defaul.
Technet[1] says:
"Distribution groups are not security-enabled, which means that they cannot
be listed in discretionary access control lists (DACLs). If you need
a group for controlling access to shared resources, create a
security group."
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x0400): Filtering AD group [my-group].
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original DN
[CN=my-group,OU=Distribution Groups,OU=Microsoft
Exchange,DC=example,DC=org] to attributes of [my-group].
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp
[20150429215241.0Z] to attributes of [my-group].
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_process_ghost_members] (0x0400): The group has 5 members
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_process_ghost_members] (0x0400): Group has 5 members
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will
add lowercased aliases
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x0400): Storing info for group my-group
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or
value exists]
^^^^^^^^^^^^^^^^^
here is a problem
It is very likely upstream bug[2] with binary objectGUID
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sysdb_store_group]
(0x1000): sysdb_set_group_attr failed.
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sysdb_store_group]
(0x0400): Error: 17 (File exists)
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
[sdap_store_group_with_gid] (0x0040): Could not store group my-group
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x0080): Could not store group with GID: [File exists]
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_group]
(0x0080): Failed to save group [my-group]: [File exists]
(Wed May 6 00:03:06 2015) [sssd[be[example.org]]] [sdap_save_groups]
(0x0040): Failed to store group 0. Ignoring.
I can't find any pattern for what groups are correctly mapped versus
the groups that aren't. But it's consistent across different sssd
client hosts. Stopping sssd and removing its cache has no effect.
Nor does disabling enumeration.
For testing purposes you can try to use pre-release[3] of upstream 1.12.5
it shoudl be released within few days and it contains fix for bug[2]
and also other fixes.
Since we just recently started testing sssd, we don't know for
certain
whether group lookups worked properly in the past. All we know is
that it doesn't seem to work now.
LS
[1]
https://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx
[2]
https://fedorahosted.org/sssd/ticket/2588
[3]
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/