I have an external LDAP metadirectory acting as an identity provider for my linux domain. The metadirectory overrides and supplements the upstream identity source (e.g., it passes thru sn, givenName, mail, telephoneNumber; but overrides or adds uidNumber, gidNumber, loginShell, etc.) The directory also holds RFC2307 group information, and the groups contain members from multiple upstream sources. Authentication via simple bind (for web apps) is passed thru to the relevant upstream provider. LDAP works great.
For command line login, I want to use Kerberos. Each upstream provider is configured as a domain within sssd which uses LDAP for identities and Kerberos for authentication. The local, linux domain-wide groups are included as one of the domain definitions, but not the others. For instance, I have defined domain A, B, and C. Domain A contains group information having members from all three. Domains B and C essentially have no groups defined.
"Getent passwd user works." Authentication works. "getent group test" works, initially...SSSD is removing users from my group. sss_cache -G restores the user (i.e., getent group test includes the user), but the first time the user tries to exercise their permissions by accessing a file on the filesystem, they get a permission denied and are removed from the group (getent group test does not include the user).
Are cross-realm groups something that sssd is designed to prohibit?
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.