Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully. 2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Out of curiosity, why do you want to disable the fully qualified names?
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
Out of curiosity, why do you want to disable the fully qualified names?
Simplicity. We're going to have all of the users in AD anyway, so it's just annoyingly long to have @ad.nwra.com added to everything.
I'm also trying to see if I can get away with something that allows NFSv4 to treat our existing LDAP users and the new AD users (with the same names) as identical, but that may be folly.
On Tue, Mar 31, 2015 at 11:20:50AM -0600, Orion Poplawski wrote:
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
I see you disabled the full name format on the server. I think that's the right thing to do because IIRC some IPA code relies on the FQDN being default on the server. Did you clean the cache even on the server?
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com
Not too important, but as long as boulder is an IPA automounter "location", I think you could just set: ipa_automount_location = boulder instead of the full search base.
debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
Is 'orion' an IPA user or an AD user? If it's an IPA user, then you need to call: id orion@nwra.com (Remember, fully qualified names) If it's an AD user, then unfortunately we need to see the client and server logs..
btw there is a relatively new page https://fedorahosted.org/sssd/wiki/Troubleshooting that contains some tips on SSSD debugging.
Out of curiosity, why do you want to disable the fully qualified names?
Simplicity. We're going to have all of the users in AD anyway, so it's just annoyingly long to have @ad.nwra.com added to everything.
OK, this is exactly the reason we added default_domain_suffix. Please note https://fedorahosted.org/sssd/ticket/2609. There is a patch on the -devel list that was acked just today.
I'm also trying to see if I can get away with something that allows NFSv4 to treat our existing LDAP users and the new AD users (with the same names) as identical, but that may be folly.
I would guess you'd need the IDs to be identical and then it should just work, right?
On 03/31/2015 12:09 PM, Jakub Hrozek wrote:
On Tue, Mar 31, 2015 at 11:20:50AM -0600, Orion Poplawski wrote:
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
I see you disabled the full name format on the server. I think that's the right thing to do because IIRC some IPA code relies on the FQDN being default on the server. Did you clean the cache even on the server?
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com
Not too important, but as long as boulder is an IPA automounter "location", I think you could just set: ipa_automount_location = boulder instead of the full search base.
debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
If it's an AD user, then unfortunately we need to see the client and server logs..
This seems like the most relevant from the client:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ldb] (0x4000): Entry not found (name=domain admins,cn=groups,cn=nwra.com,cn=sysdb) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
and it appears to be looking in cn=nwra.com rather than cn=ad.nwra.com?
The server seems to be processing the groups in the AD domain:
Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x4000): AD group [Domain Admins@ad.nwra.com] has type flags 0x80000002. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x1000): Mapping group [Domain Admins@ad.nwra.com] objectSID [S-1-5-21-89655523-1570529619-2103694531-512] to unix ID (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20140314191543.0Z] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): Group has 5 members
(Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Storing info for group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_groups] (0x4000): Group 0 processed! (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Admins@ad.nwra.com] (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_fill_memberships] (0x1000): member #3 (CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com): [name=Domain Admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]
I guess this is when the server sees the group request, but it seems to be searching for a user not a group:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=domain admins] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_req_set_domain] (0x0400): Changing request domain from [nwra.com] to [ad.nwra.com] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000): Searching X.X.X.X (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=domain admins))][cn=Default Trust View,cn=views,cn=accounts,dc=nwra,dc=com]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fe6dc7066b0], connected[1], ops[0x7fe6dc741810], ldap[0x7fe6dc700170] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=ad,dc=nwra,dc=com]
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=domain\20admins)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=nwra,dc=com].
here's the group search:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=domain\20admins)) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): No such entry
Is that improper quoting of the space character? \20? Not changing request domain to ad.nwra.com?
On 04/02/2015 04:49 PM, Orion Poplawski wrote:
On 03/31/2015 12:09 PM, Jakub Hrozek wrote:
On Tue, Mar 31, 2015 at 11:20:50AM -0600, Orion Poplawski wrote:
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
I see you disabled the full name format on the server. I think that's the right thing to do because IIRC some IPA code relies on the FQDN being default on the server. Did you clean the cache even on the server?
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com
Not too important, but as long as boulder is an IPA automounter "location", I think you could just set: ipa_automount_location = boulder instead of the full search base.
debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
If it's an AD user, then unfortunately we need to see the client and server logs..
This seems like the most relevant from the client:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ldb] (0x4000): Entry not found (name=domain admins,cn=groups,cn=nwra.com,cn=sysdb) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
and it appears to be looking in cn=nwra.com rather than cn=ad.nwra.com?
The server seems to be processing the groups in the AD domain:
Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x4000): AD group [Domain Admins@ad.nwra.com] has type flags 0x80000002. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x1000): Mapping group [Domain Admins@ad.nwra.com] objectSID [S-1-5-21-89655523-1570529619-2103694531-512] to unix ID (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20140314191543.0Z] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): Group has 5 members
(Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Storing info for group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_groups] (0x4000): Group 0 processed! (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Admins@ad.nwra.com] (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_fill_memberships] (0x1000): member #3 (CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com): [name=Domain Admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]
I guess this is when the server sees the group request, but it seems to be searching for a user not a group:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=domain admins] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_req_set_domain] (0x0400): Changing request domain from [nwra.com] to [ad.nwra.com] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000): Searching X.X.X.X (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=domain admins))][cn=Default Trust View,cn=views,cn=accounts,dc=nwra,dc=com]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fe6dc7066b0], connected[1], ops[0x7fe6dc741810], ldap[0x7fe6dc700170] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=ad,dc=nwra,dc=com]
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=domain\20admins)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=nwra,dc=com].
here's the group search:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=domain\20admins)) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): No such entry
Is that improper quoting of the space character? \20? Not changing request domain to ad.nwra.com?
Finally getting back to this, and still having the same trouble.
On 10/09/2015 02:53 PM, Orion Poplawski wrote:
Finally getting back to this, and still having the same trouble.
Filed https://fedorahosted.org/sssd/ticket/2838
Hi Orion ! Hope you are doing well. This thread maybe old for you but I was just curious of how you dealt with this issue? I am having the same issue in my environment.
Thanks Zack
sssd-users@lists.fedorahosted.org