Same domain.On Fri, Nov 15, 2019 at 04:57:27AM -0800, Jim Burwell wrote:On 2019-11-15 04:25, Jamal Mahmoud wrote:On Fri, Nov 15, 2019 at 10:58:17AM -0000, Jamal Mahmoud wrote: Ok, do you know if the LDAP attributes uidNumber and gidNumber are replicated to the Global Catalog in your environment? By default they are not. You can check this manually as well with ldapsearch on the Global Catalog port 3268: ldapsearch -H ldap://your-ad-dc.your.ad.domain:3268 -b 'DC=your,DC=ad,DC=domain' samAccountName=groupname If gidNumber is missing in the Global Catalog object please try if setting ad_enable_gc = False in the [domain/...] section of sssd.conf makes the group lookup more reliable. bye, SumitHi Sumit, I'm just after checking and you are correct! the ldap search through the Global Catalog does not return any POSIX attributes, we're going to apply this patch and see if the errors stop occurring. If this is the solution I owe you a drink (or 5). Thanks, JamalYep. The docs say that all those POSIX attributes should be marked as being part of the GC, which they aren't by default. You need to use the AD schema too to do that IIRC. I've also encountered issues with groups going missing, and in fact I'm working such an issue now. In our case, all the POSIX stuff is replicated to the GC. What happens is that the user's groups are fine for a long time (8-10 hours), then either a single group vanishes, OR all but their login group vanishes. The only thing that brings it backHi, are the group from the domain the client is joined to or from a different domain in the forest?
immediately is stopping SSSD, removing /var/lib/sssd/db/*, and restarting it. Then the groups will be back for that semi-random period. I had another case of this issue a few weeks ago. But in this case it turned out to be that there was an automated process on the AD that was removing users from groups, then adding them back shortly after. ItAre the groups being removed as well during this process and then added back with the same name?
I'm not positive about that. I presumed that the groups themselves were being left in place and users were just being removed from the group then re-added by an automated process. But I'll inquire as to whether this was a case. I have doubts because the groups exist with the proper gidNumber, which I don't believe these automated process handles.
Can you share your sssd.conf?
#
# sssd.conf for SSSD versions which have the AD provider module
# (preferred method)
#
[sssd]
config_file_version = 2
domains = {{ krb5_realm }}
services = nss, pam, pac
# remove PAC if it causes slow/failed login
#services = nss, pam
# uncomment for heavy debugging
# debug_level = 0x37F0
[nss]
# in case home dir isn't defined in AD/ldap unixHomeDirectory
fallback_homedir = /h/%u
[pam]
# debugging
#pam_verbosity = 5
# custom messages
pam_account_expired_message = Account Expired
pam_account_locked_message = Account Locked
# domain section
[domain/{{ krb5_realm }}]
# uncomment for heavy debugging
# debug_level = 0x37F0
#ad_gpo_access_control = permissive
# disabled, causes issues w/ some OSes
ad_gpo_access_control = disabled
# Use AD provider
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_id_mapping = False
cache_credentials = True
ldap_schema = ad
# Search base
ldap_search_base = dc=widgetco,dc=com
# Speed up search with narrowed user search base if required
#ldap_user_search_base = OU=Users,OU=Corp,DC=widgetco,DC=com
ldap_user_object_class = user
# Speed up search if required. See sssd-ldap man page for how to
# specify complex search bases with multiple bases, etc.
# ldap_group_search_base = ou=users,dc=widgetco,dc=com
ldap_group_object_class = group
# Use AD unix attributes instead of generating UID/GID, etc
ldap_id_mapping = False
# where AD keeps these attributes
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
# expire policies
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
# specify only if needed (DNS SRV records used otherwise)
#ad_server = dcwidgetcoprim.widgetco.com
# Let DHCP client handle this
dyndns_update = false
# This greatly improves login speed, but getent group groupname won't show
# group members (but group lookups for the OS still work). It is basically
# required for complex AD group schemas, or AD environments with LOTS of
# groups. It may be possible to turn it off if a group search base can
# be devised which speeds thing up. But if there were many many groups, we
# still need it.
ignore_group_members = true
bye, Sumit
thanks.
seems that SSSD would sometimes catch it at the right time, and remove the user from the group, or sometimes bug out and remove all the users group except the user entry's gidNumber group (primary login group). This appears to me to be some sort of bug with SSSD where once it removes a group in the cache, it doesn't restore it when the user comes back. Perhaps negative caching (intended, or not)? - Jim _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org