On (27/08/15 12:29), Davor Vusir wrote:
On 2015-08-27 08:39, Lukas Slebodnik wrote:
On (27/08/15 08:21), Davor Vusir wrote:
Back to the first terminal: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# sss_ssh_authorizedkeys PublicKeyUser ssh-rsa AAAAB3NzaC1yc2E... [root@server-1 ~]#
You could immediatelly run as root "sss_ssh_authorizedkeys PublicKeyUser" after restarting sssd with new configuration.
Same result as before.
OK, so the problem is not with public ssh key :-)
[root@server-1 ~]# getent group ct-linuxuberadmins ct-linuxuberadmins:*:10287220: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# getent group ct-linuxservicesadmins uuct-gg-linuxservicesadmins:*:10287637:
users are not listed due to enabeld option ignore_group_members.
I would be more interested in output of command. "id PublicKeyUser" with enabled and disabled subdomain provider.
"subdomains_provider = none": [root@server-1 ~]# id PublicKeyUser uid=10051785(PublicKeyUser) gid=10000513(domain users) groups=10000513(domain users) [root@its-srv001-t ~]#
"#subdomains_provider = none": uid=10051785(PublicKeyUser) gid=10000513(domain users) groups=10000513(domain users),10257368(ct-lg-admins),... all other groups...
So here is a problem. User does not have all groups with disabled subdomain provider. If you disable subdmain provider then you also disable autodiscovery of domain sids. So it might cause missing groups.
Are all user's groups from the same domain?
You can try to configure default dommain with options: man sssd-ldap -> ldap_idmap_default_domain_sid -> ldap_idmap_default_domain
BTW there is was a bug https://fedorahosted.org/sssd/ticket/2635 which prevents using ldap_idmap_default_domain_sid with disabled subdomain. The bug is fixed in rhel6.7, but not in rhel7.1
LS