With sssd-ad 1.12.0 we have the problem that all additional group memberships of a user are missing: ------------- # id ga57joh uid=3298478(ga57joh) gid=3000000(tu00000gv-0defprim) groups=3000000(tu00000gv-0defprim) ------------- Only the main groups shows, all additional groups like 3394681(tueilntgv-0all),3393702(tueilntgv-0staff) are missing.
We have the following /etc/sssd/sssd.conf: ------------- [sssd] config_file_version = 2 services = nss,pam domains = default
[nss] filter_groups = root filter_users = root
[pam] [domain/default] id_provider = ad auth_provider = ad access_provider = simple chpass_provider = ad ad_domain = ads.mwn.de #ad_enable_gc = False <-- even this does not help!
# Disable sssd-ad ID mapping, as we want to use posix data from AD ldap_id_mapping = False # Disable user enumeration for speed enumerate = False
# Set base DNs and scope for faster search ldap_search_base = DC=ads,DC=mwn,DC=de ldap_user_search_base = ou=Users,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de ldap_group_search_base = ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de -------------
Using sssd-ad 1.9.6, we get all groups successfully with the identical config!
We see the following message in /var/log/sssd/sssd_default.log: ------------- [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call [sdap_get_initgr_user] (0x4000): Process user's groups [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-32-545] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0080): Domain not found for SID S-1-5-32-545 [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-1499261727-55176102-3529509929-420311] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID S-1-5-21-1499261727-55176102-3529509929-420311 will be downloaded [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-1499261727-55176102-3529509929-571] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID S-1-5-21-1499261727-55176102-3529509929-571 will be downloaded ... [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [ne96soh] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1499261727-55176102-3529509929-420311)(objectclass=group)(name=*))][ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. [sdap_get_initgr_done] (0x4000): Initgroups done ------------- It looks like all the missing user groups are mentioned in the "Missing SID ... will be downloaded" messages, but are still missing in the end!
Any ideas?
Best regards, Joschi