Hello
I also have a group issue on sssd 1.11.6 with LDAP/Krb5 provider. When I used sssd-1.9.2-129.el6_5.4.x86_64, I could get all belonging groups by "id" command. After I updated to sssd-1.11.6-1, I could get only primary group by "id" command. I needed to retrieve each group information by "getent group" command, After that I could get all belonging groups by "id" command. It looks like the initial group lookup failed on sssd-1.11.6-1. Is this behavior a bug or spec of version 1.11.6 or I missed something in configuration file ? I would appreciate your kind support.
Reproduce Procedures ================ 1. Set up desired sssd version 2. Remove cache files # rm -f /var/lib/sss/db/cache* 3. Start sssd # sssd -i -d7 -c sssd.conf-LDAP 4. Check account information by "id" command # id shoji-lab 5. Check group information by "getent group" command # getent group G-Role-ISOps-Server 6. Check account information again. # id shoji-lab
Test Result (sssd-1.9.2-129) ==================== [admin@jpbl0-in00-is16 ~]$ rpm -q sssd sssd-1.9.2-129.el6_5.4.x86_64 [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20166(U-Role-ISOps-Server),20165(G-Role-ISOps-Server) [admin@jpbl0-in00-is16 ~]$ getent group G-Role-ISOps-Server G-Role-ISOps-Server:*:20165:shoji-lab,bmulvany-lab,banban-lab,test_shoji,mokbrian-lab,arionk-lab,bleej-lab,haughtoj-lab,tstevens-lab,dkeane-lab,danoneil-lab,srpenn-lab [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20166(U-Role-ISOps-Server),20165(G-Role-ISOps-Server)
Test Result (sssd-1.11.6-1) ==================== [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users) [admin@jpbl0-in00-is16 ~]$ getent group G-Role-ISOps-Server G-Role-ISOps-Server:*:20165:shoji-lab,bmulvany-lab,banban-lab,test_shoji,mokbrian-lab,arionk-lab,bleej-lab,haughtoj-lab,tstevens-lab,dkeane-lab,danoneil-lab,srpenn-lab [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20165(G-Role-ISOps-Server)
Error Log Summary (sssd-1.11.6-1) ========================== (Fri Aug 8 03:30:18 2014) [sssd[nss]] [nss_memcache_initgr_check] (0x1000): Got request for [shoji-lab@labsso] (Fri Aug 8 03:30:18 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error message: Init group lookup failed (Fri Aug 8 03:30:18 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 22, Init group lookup failed Will try to return what we have in cache (Fri Aug 8 03:30:18 2014) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418450:3:shoji-lab@labsso] (Fri Aug 8 03:30:18 2014) [sssd[be[labsso]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed (Fri Aug 8 03:30:18 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
SSSD Configuration : Using LDAP/Krb5 providers ==================================== [sssd] config_file_version = 2 services = nss, pam, sudo domains = labsso
[nss]
[pam]
[sudo]
[domain/labsso] enumerate = false ldap_id_use_start_tls = False id_provider = ldap auth_provider = krb5 chpass_provider = krb5
krb5_realm = LABSSO.LABROOT.ISOPS.EXAMPLE.COM krb5_server = jpbw0-in00-is82.labsso.labroot.isops.example.com krb5_kpasswd = jpbw0-in00-is82.labsso.labroot.isops.example.com
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_group_object_class = group ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ldap_uri = ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com ldap_search_base = DC=labsso,DC=labroot,DC=isops,DC=example,DC=com ldap_default_bind_dn = bindisops-lab@labsso.labroot.isops.example.com ldap_default_authtok_type = password ldap_default_authtok = password ldap_referrals = False
LDAP Server (Active Directory) User/Group Hierarchy ======================================== shoji-lab (uid=20000, @LABSSO) G-Role-ISOps-Server (gid=20165, @LABSSO) U-Role-ISOps-Server (gid=20166, @LABSSO)
Regards, Shoji Sugiyama
On Fri, Aug 08, 2014 at 01:35:27PM +0900, 杉山昌治 wrote:
Hello
I also have a group issue on sssd 1.11.6 with LDAP/Krb5 provider. When I used sssd-1.9.2-129.el6_5.4.x86_64, I could get all belonging groups by "id" command. After I updated to sssd-1.11.6-1, I could get only primary group by "id" command. I needed to retrieve each group information by "getent group" command, After that I could get all belonging groups by "id" command. It looks like the initial group lookup failed on sssd-1.11.6-1. Is this behavior a bug or spec of version 1.11.6 or I missed something in configuration file ? I would appreciate your kind support.
Reproduce Procedures
- Set up desired sssd version
- Remove cache files # rm -f /var/lib/sss/db/cache*
- Start sssd # sssd -i -d7 -c sssd.conf-LDAP
- Check account information by "id" command # id shoji-lab
- Check group information by "getent group" command # getent group G-Role-ISOps-Server
- Check account information again. # id shoji-lab
Test Result (sssd-1.9.2-129)
[admin@jpbl0-in00-is16 ~]$ rpm -q sssd sssd-1.9.2-129.el6_5.4.x86_64 [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20166(U-Role-ISOps-Server),20165(G-Role-ISOps-Server) [admin@jpbl0-in00-is16 ~]$ getent group G-Role-ISOps-Server G-Role-ISOps-Server:*:20165:shoji-lab,bmulvany-lab,banban-lab,test_shoji,mokbrian-lab,arionk-lab,bleej-lab,haughtoj-lab,tstevens-lab,dkeane-lab,danoneil-lab,srpenn-lab [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20166(U-Role-ISOps-Server),20165(G-Role-ISOps-Server)
Test Result (sssd-1.11.6-1)
[admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users) [admin@jpbl0-in00-is16 ~]$ getent group G-Role-ISOps-Server G-Role-ISOps-Server:*:20165:shoji-lab,bmulvany-lab,banban-lab,test_shoji,mokbrian-lab,arionk-lab,bleej-lab,haughtoj-lab,tstevens-lab,dkeane-lab,danoneil-lab,srpenn-lab [admin@jpbl0-in00-is16 ~]$ id shoji-lab uid=20000(shoji-lab) gid=20002(Domain Users) groups=20002(Domain Users),20165(G-Role-ISOps-Server)
Error Log Summary (sssd-1.11.6-1)
(Fri Aug 8 03:30:18 2014) [sssd[nss]] [nss_memcache_initgr_check] (0x1000): Got request for [shoji-lab@labsso] (Fri Aug 8 03:30:18 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error message: Init group lookup failed (Fri Aug 8 03:30:18 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 22, Init group lookup failed Will try to return what we have in cache (Fri Aug 8 03:30:18 2014) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418450:3:shoji-lab@labsso] (Fri Aug 8 03:30:18 2014) [sssd[be[labsso]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed (Fri Aug 8 03:30:18 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
SSSD Configuration : Using LDAP/Krb5 providers
[sssd] config_file_version = 2 services = nss, pam, sudo domains = labsso
[nss]
[pam]
[sudo]
[domain/labsso] enumerate = false ldap_id_use_start_tls = False id_provider = ldap auth_provider = krb5 chpass_provider = krb5
krb5_realm = LABSSO.LABROOT.ISOPS.EXAMPLE.COM krb5_server = jpbw0-in00-is82.labsso.labroot.isops.example.com krb5_kpasswd = jpbw0-in00-is82.labsso.labroot.isops.example.com
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_group_object_class = group ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ldap_uri = ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com ldap_search_base = DC=labsso,DC=labroot,DC=isops,DC=example,DC=com ldap_default_bind_dn = bindisops-lab@labsso.labroot.isops.example.com ldap_default_authtok_type = password ldap_default_authtok = password ldap_referrals = False
LDAP Server (Active Directory) User/Group Hierarchy
shoji-lab (uid=20000, @LABSSO) G-Role-ISOps-Server (gid=20165, @LABSSO) U-Role-ISOps-Server (gid=20166, @LABSSO)
Regards, Shoji Sugiyama
Hi,
we had a bug with this configuration that Pavel Brezina fixed some time ago. https://fedorahosted.org/sssd/ticket/2385
Are you comforble testing directly from git? If not, I'll build you a test package for el6..
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
杉山昌治