On Thu, Feb 06, 2020 at 01:40:46PM +0000, Sangster, Mark wrote:
Hello,
I am switching our SSSD to use the AD provider but have found that the setup has issues with group membership.
The following is my domain configuration:
[domain/<DOMAIN>] id_provider = ad auth_provider = ad access_provider = ad ad_access_filter = (memberOf=<FILTER>) ad_hostname = <CLIENT_HOST> ad_domain = <DOMAIN> dns_discovery_domain = <DOMAIN> ldap_id_mapping = false ldap_sasl_mech = GSSAPI ldap_referrals = false dyndns_update = false cache_credentials = true enumerate = false ldap_purge_cache_timeout = 0
This setup works just not completely, user authentication and user/group lookups work. However if I attempt to list full group membership of a user (“id user” or “groups user”), then I am provided with only the primary group. Interestingly if I do the following: clear user from cache, lookup group, lookup user, then the information indicates the primary group and additional group. We utilise an AllowGroups restriction within SSHD which fails, claiming the user isn’t in the group.
Hi,
what version of SSSD are you using on which platform?
It would be best to have debug logs. For this please add 'debug_level = 9' to the [domain/...] and [nss] section of sssd.conf, restart SSSD and call 'id user' again. You can find more details at https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html.
Since you are using 'ldap_id_mapping = false' it might be worth to try to disable the Global Catalog lookups by adding 'ad_enable_gc = false' to the [domain/...] section of sssd.conf.
bye, Sumit
Any suggests would be welcome.
Thanks Mark
Mark Sangster Server Infrastructure Specialist
Information Technology Services | University of Aberdeen t: +44 (0)1224 27-3315 | e: mark@abdn.ac.ukmailto:mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org