On 2015-08-27 14:40, Lukas Slebodnik wrote:
On (27/08/15 12:29), Davor Vusir wrote:
On 2015-08-27 08:39, Lukas Slebodnik wrote:
On (27/08/15 08:21), Davor Vusir wrote:
Back to the first terminal: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# sss_ssh_authorizedkeys PublicKeyUser ssh-rsa AAAAB3NzaC1yc2E... [root@server-1 ~]#
You could immediatelly run as root "sss_ssh_authorizedkeys PublicKeyUser" after restarting sssd with new configuration.
Same result as before.
OK, so the problem is not with public ssh key :-)
[root@server-1 ~]# getent group ct-linuxuberadmins ct-linuxuberadmins:*:10287220: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# getent group ct-linuxservicesadmins uuct-gg-linuxservicesadmins:*:10287637:
users are not listed due to enabeld option ignore_group_members.
I would be more interested in output of command. "id PublicKeyUser" with enabled and disabled subdomain provider.
"subdomains_provider = none": [root@server-1 ~]# id PublicKeyUser uid=10051785(PublicKeyUser) gid=10000513(domain users) groups=10000513(domain users) [root@its-srv001-t ~]#
"#subdomains_provider = none": uid=10051785(PublicKeyUser) gid=10000513(domain users) groups=10000513(domain users),10257368(ct-lg-admins),... all other groups...
So here is a problem. User does not have all groups with disabled subdomain provider. If you disable subdmain provider then you also disable autodiscovery of domain sids. So it might cause missing groups.
I see.
Are all user's groups from the same domain?
All users and groups are from the same domain. No subdomains but forest trusts.
You can try to configure default dommain with options: man sssd-ldap -> ldap_idmap_default_domain_sid -> ldap_idmap_default_domain
BTW there is was a bug https://fedorahosted.org/sssd/ticket/2635 which prevents using ldap_idmap_default_domain_sid with disabled subdomain. The bug is fixed in rhel6.7, but not in rhel7.1
Setting these solved it. Thank you. And I'll bear it in mind for 7.1. Strange though that these settings are needed when all user accounts and groups have got uidnumber and gidnumber assigned.
man sss-ad could be clearer on that the domains NetBIOS name is to be used for ldap_idmap_default_domain.
But I'm still somewhat confused that SSSD treats trusted forests as subdomains. Maybe it's because SSSD doesn't care whether it's a forest trust or not (a trust is trust, so to speak) and lacks the functionality to distinguish the two and therefore adds them as subdomains. Maybe I have to configure [capaths] in krb5.conf.
I'm grateful for your time and guidance, Lukas. It has certainly helped me to understand SSSD more deeply. And thank you for a good product.
Have a nice weekend Davor
LS