please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
https://intranet.egc.wa.edu.au/downloads/sssd.tar.gz
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd]
domains = orange.schools.internal
config_file_version = 2
services = nss, pam ,ifp, sudo
default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal]
ad_domain = orange.schools.internal
krb5_realm = ORANGE.SCHOOLS.INTERNAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_access_control = permissive
root@e4182s01sv025:/etc/sssd#
Hi
"getent group <name>" does not give any output at all.
However "getent passwd" looks correctly up in the AD:
$ getent passwd zmir2
zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash
$ grep -c ^zmir2 /etc/passwd
0
nsswitch looks fine:
$ egrep "^(group|passwd)" /etc/nsswitch.conf
passwd: files sss
group: files sss
SSO is working fine with both ssh and samba share.
$ realm list
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: %U
login-policy: allow-any-login
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
# cat /etc/sssd/sssd.conf
[sssd]
domains = foo.org
config_file_version = 2
services = nss, pam
[domain/foo.org]
ad_domain = foo.org
krb5_realm = FOO.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
All on Red Hat 7.6.
The goal is to use an AD group in a samba share but it obviously does not
lookup groups in the AD, only specific users.
--
Venlig hilsen - best regards