Hi everyone,
In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL 7.6
SSSD is configured to request on mch.dev domain. trusted subdomain sub.mch.dev exist (Win2k16)
On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and 'allowed_ssh'. These groups are placed also in mch.dev domain. On sub.mch.dev, I have user 'user2' only. 'user2' is place in 'G_TEST' and 'allowed_ssh'.
When get id user from mch.dev domain, by `id mch\user1` I get this result : `uid=83701115(user1) gid=513(sssdgrp) groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id sub\user2`, in same group (universal - child trust), I get `uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)` without group name
getent work fine : `getent group 'g_test'` result : `g_test:*:83701117:user2,user1,mch`
Why I have not groupname for user2 ?
sssd.conf :
[sssd] domains = mch.dev config_file_version = 2 services = nss, pam default_domain_suffix = mch.dev full_name_format = %1$s
[nss] filter_users = root reconnection_retries = 3 entry_cache_nowait_percentage = 75
[pam] pam_pwd_expiration_warning = 21 pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and logon again.
[domain/MCH.DEV] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad ad_domain = mch.dev krb5_realm = MCH.DEV krb5_store_password_if_offline = True cache_credentials = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True override_gid = 513 fallback_homedir = /home/%u@%d default_shell = /bin/bash dyndns_update = false ldap_idmap_range_min = 100000 ldap_use_tokengroups = False
krb5.conf includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = MCH.DEV
[realms] MCH.DEV = { }
[domain_realm] mch.dev = MCH.DEV .mch.dev = MCH.DEV
Logs available here: https://pastebin.com/Ntt62Cxt
Thanks in advance
@Jakub Hrozek jhrozek@redhat.commailto:jhrozek@redhat.com With the configuration above, Inverse of your problem : I can't view and use group for sub domain user, but I can login with SSH like this : 'ssh -l 'sub\user2' 172.31.8.88'
On Tue, Feb 05, 2019 at 08:52:27AM +0000, Martial CHAVIGNY wrote:
Hi everyone,
In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL 7.6
SSSD is configured to request on mch.dev domain. trusted subdomain sub.mch.dev exist (Win2k16)
On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and 'allowed_ssh'. These groups are placed also in mch.dev domain. On sub.mch.dev, I have user 'user2' only. 'user2' is place in 'G_TEST' and 'allowed_ssh'.
When get id user from mch.dev domain, by `id mch\user1` I get this result : `uid=83701115(user1) gid=513(sssdgrp) groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id sub\user2`, in same group (universal - child trust), I get `uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)` without group name
getent work fine : `getent group 'g_test'` result : `g_test:*:83701117:user2,user1,mch`
Why I have not groupname for user2 ?
This looks like an error: (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_search_object_attr] (0x0400): No such entry. (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_get_real_name] (0x0040): Cannot find user [user2@mch.dev] in cache (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x0040): Cannot canonicalize username (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_done] (0x4000): releasing operation connection
I don't know why is sysdb_get_real_name() looking for the entry in the mch.dev domain and not the subdomain.
Can you remove the full_name_format option from the [sssd] section instead, if you need to use short names, set use_fully_qualified_names=false. Since recent versions you can set this option also for subdomains, but I would suggest to first test with a very vanilla configuration.
btw was there a reason to unset tokengroups?
sssd.conf :
[sssd] domains = mch.dev config_file_version = 2 services = nss, pam default_domain_suffix = mch.dev full_name_format = %1$s [nss] filter_users = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 [pam] pam_pwd_expiration_warning = 21 pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and logon again. [domain/MCH.DEV] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad ad_domain = mch.dev krb5_realm = MCH.DEV krb5_store_password_if_offline = True cache_credentials = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True override_gid = 513 fallback_homedir = /home/%u@%d default_shell = /bin/bash dyndns_update = false ldap_idmap_range_min = 100000 ldap_use_tokengroups = Falsekrb5.conf includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = MCH.DEV
[realms] MCH.DEV = { }
[domain_realm] mch.dev = MCH.DEV .mch.dev = MCH.DEV
Logs available here: https://pastebin.com/Ntt62Cxt
Thanks in advance
@Jakub Hrozek jhrozek@redhat.commailto:jhrozek@redhat.com With the configuration above, Inverse of your problem : I can't view and use group for sub domain user, but I can login with SSH like this : 'ssh -l 'sub\user2' 172.31.8.88'
Thank for your reply, Yes, it's working :)
Answer is below,
On Tue, Feb 05, 2019 at 08:52:27AM +0000, Martial CHAVIGNY wrote:
Hi everyone,
In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL 7.6
SSSD is configured to request on mch.dev domain. trusted subdomain sub.mch.dev exist (Win2k16)
On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and 'allowed_ssh'. These groups are placed also in mch.dev domain. On sub.mch.dev, I have user 'user2' only. 'user2' is place in 'G_TEST' and 'allowed_ssh'.
When get id user from mch.dev domain, by `id mch\user1` I get this result : `uid=83701115(user1) gid=513(sssdgrp) groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id sub\user2`, in same group (universal - child trust), I get `uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)` without group name
getent work fine : `getent group 'g_test'` result : `g_test:*:83701117:user2,user1,mch`
Why I have not groupname for user2 ?
This looks like an error: (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_search_object_attr] (0x0400): No such entry. (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_get_real_name] (0x0040): Cannot find user [user2@mch.dev] in cache (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x0040): Cannot canonicalize username (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_done] (0x4000): releasing operation connection
I don't know why is sysdb_get_real_name() looking for the entry in the mch.dev domain and not the subdomain.
Can you remove the full_name_format option from the [sssd] section instead, if you need to use short names, set use_fully_qualified_names=false. Since recent versions you can set this option also for subdomains, but I would suggest to first test with a very vanilla configuration.
btw was there a reason to unset tokengroups? --> In production env. (SSSD 1.15.2 - release 50.el7_4.11), when this option is not set (True by default for AD), No group name is returned. Regard of : https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd.conf :
[sssd] domains = mch.dev config_file_version = 2 services = nss, pam default_domain_suffix = mch.dev full_name_format = %1$s [nss] filter_users = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 [pam] pam_pwd_expiration_warning = 21 pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and logon again. [domain/MCH.DEV] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad ad_domain = mch.dev krb5_realm = MCH.DEV krb5_store_password_if_offline = True cache_credentials = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True override_gid = 513 fallback_homedir = /home/%u@%d default_shell = /bin/bash dyndns_update = false ldap_idmap_range_min = 100000 ldap_use_tokengroups = Falsekrb5.conf includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = MCH.DEV
[realms] MCH.DEV = { }
[domain_realm] mch.dev = MCH.DEV .mch.dev = MCH.DEV
Logs available here: https://pastebin.com/Ntt62Cxt
Thanks in advance
@Jakub Hrozek jhrozek@redhat.commailto:jhrozek@redhat.com With the configuration above, Inverse of your problem : I can't view and use group for sub domain user, but I can login with SSH like this : 'ssh -l 'sub\user2' 172.31.8.88'
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Martial CHAVIGNY