Hi, We have a problem after upgrade from 11.7 to 12.5 version Identity lookups periodically change from short name to fully qualified name for users from trust domains. In turn, users get lockout of files, or can not login because nfsidmap setup can't figure out id mapping.
This setup worked in 11.7 version (+several domains identically configured) [domain/A.C.DOM.ORG] debug_level = 9 cache_credentials = true id_provider = ad dyndns_update = false access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = a.c.dom.org krb5_realm = A.C.DOM.ORG use_fully_qualified_names = false subdomain_provider = none ldap_id_mapping = false krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names. Only ids from native for client machine domain do. Cross realm membership resolves fine. [nss] debug_level = 7 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd [sssd] debug_level = 9
domains = A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/A.C.DOM.ORG] debug_level = 9 id_provider = ad dyndns_update = true ad_hostname = a431.a.c.dom.org ignore_group_members = true use_fully_qualified_names = false ldap_id_mapping = false ldap_user_name = sAMAccountName
#ldap_user_principal = sAMAccountName ad_site = DOM
Best, Longina
On Wed, Sep 09, 2015 at 08:52:00PM +0000, Longina Przybyszewska wrote:
Hi, We have a problem after upgrade from 11.7 to 12.5 version Identity lookups periodically change from short name to fully qualified name for users from trust domains. In turn, users get lockout of files, or can not login because nfsidmap setup can't figure out id mapping.
This setup worked in 11.7 version (+several domains identically configured) [domain/A.C.DOM.ORG] debug_level = 9 cache_credentials = true id_provider = ad dyndns_update = false access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = a.c.dom.org krb5_realm = A.C.DOM.ORG use_fully_qualified_names = false subdomain_provider = none ldap_id_mapping = false krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names.
Can you give an example? Are you saying for a user in domain "N.C.DOM", 'getent passwd user' wouldn't resolve the user?
If that's the case, we need logs..
Only ids from native for client machine domain do. Cross realm membership resolves fine. [nss] debug_level = 7 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd [sssd] debug_level = 9
domains = A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/A.C.DOM.ORG] debug_level = 9 id_provider = ad dyndns_update = true ad_hostname = a431.a.c.dom.org ignore_group_members = true use_fully_qualified_names = false ldap_id_mapping = false ldap_user_name = sAMAccountName
#ldap_user_principal = sAMAccountName ad_site = DOM
Best, Longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Sorry for answering so late - needed some vacation :) Here problem still stays open...
On Wed, Sep 09, 2015 at 08:52:00PM +0000, Longina Przybyszewska wrote:
Hi, We have a problem after upgrade from 11.7 to 12.5 version Identity lookups periodically change from short name to fully qualified name for
users from trust domains.
In turn, users get lockout of files, or can not login because nfsidmap setup
can't figure out id mapping.
This setup worked in 11.7 version (+several domains identically configured) [domain/A.C.DOM.ORG] debug_level = 9 cache_credentials = true id_provider = ad dyndns_update = false access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = a.c.dom.org krb5_realm =
A.C.DOM.ORG
use_fully_qualified_names = false subdomain_provider = none ldap_id_mapping = false krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names.
Can you give an example? Are you saying for a user in domain "N.C.DOM", 'getent passwd user' wouldn't resolve the user?
Yes. nuser - user from n.c.dom.org
getent passwd nuser getent passwd nuser@n.c.dom.org nuser@n.c.dom.org:*:10002:30000000:xxxxxx:/home/nuser:/bin/bash
id nuser id: nuser: no such user id nuser@nat.c.sdu.dk uid=10002(nuser@n.c.dom.org) gid=30000000(lnx-primary) groups=30000000(lnx-primary),30000003(lnx-ladm-servers),...
auser - user from a.c.dom.org
getent passwd auser auser:*:10007:8888:xxxxx:/home/auser:/bin/bash
id auser uid=10007(auser) gid=8888(nfs4users@n.c.dom.org) groups=8888(nfs4users@n.c.dom.org),30000000(lnx-primary),6666(nfs4users2@n.c.dom.org),9002(lnx-nfs4users2@c.dom.org),30000001(lnx-web3-www),9999(usr-glu@c.dom.org) My sssd.conf is:
[nss] debug_level = 9 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd] debug_level = 9
domains = A.C.DOM.ORG, C.DOM.ORG, N.C.DOM.ORG config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/A.C.DOM.ORG] debug_level = 10 cache_credentials = true id_provider = ad dyndns_update = true ad_hostname = adm-lnx432.a.c.dom.org use_fully_qualified_names = false ldap_id_mapping = false ldap_user_name = sAMAccountName ad_site = DOM
krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled ad_gpo_default_right = permit
dyndns_update_ptr = true
If that's the case, we need logs..
Which logs would you like to see - and what debugging level?
Longina
Only ids from native for client machine domain do. Cross realm group membership resolves fine.
Is it ok that I send logs directly to you as tar file?
Longina
-----Oprindelig meddelelse----- Fra: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] På vegne af Jakub Hrozek Sendt: 9. oktober 2015 10:40 Til: sssd-users@lists.fedorahosted.org Emne: Re: [SSSD-users] 12.5 problems
On Thu, Oct 08, 2015 at 08:03:43PM +0000, Longina Przybyszewska wrote:
If that's the case, we need logs..
Which logs would you like to see - and what debugging level?
Domain and NSS logs at level 7 please. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org