I have setup with 3 clients and server. Server runs samba as AD and ldap + kerberos. Clients use sss: 1) fedora with 2.0.0, 2) centos with 1.16.0 and 3) centos with 1.16.2. All clients use 1:1 sssd.conf. I want sss to use primary group id from gidNumber record in ldap and I have no issues with first and second clients. But not third. I don't understand why but primary gid is set equal to uid. Can't see anything relevant in logs.
Where to dig?
sssd.conf: [domain/default] id_provider = ldap ldap_uri = ldap://pdc.lkkm/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = dc=pdc,dc=lkkm ldap_default_bind_dn = <DN> ldap_default_authtok_type = password ldap_default_authtok = <password> ldap_user_search_base = cn=Users,dc=pdc,dc=lkkm ldap_user_home_directory = unixHomeDirectory ldap_user_object_class = person ldap_group_search_base = dc=PosixGroups,dc=pdc,dc=lkkm ldap_group_object_class = group
auth_provider = krb5 chpass_provider = krb5 krb5_server = pdc.lkkm krb5_kpasswd = pdc.lkkm krb5_realm = PDC.LKKM krb5_store_password_if_offline = False krb5_ccname_template = KEYRING:persistent:%{uid} krb5_auth_timeout = 15
On Wed, Jan 16, 2019 at 05:33:41AM -0000, Dmitrij S. Kryzhevich wrote:
I have setup with 3 clients and server. Server runs samba as AD and ldap + kerberos. Clients use sss: 1) fedora with 2.0.0, 2) centos with 1.16.0 and 3) centos with 1.16.2. All clients use 1:1 sssd.conf. I want sss to use primary group id from gidNumber record in ldap and I have no issues with first and second clients. But not third. I don't understand why but primary gid is set equal to uid. Can't see anything relevant in logs.
Where to dig?
I would start with comparing logs for a 'working' and a 'non-working' client. The config looks OK to me and in general the plain LDAP provider should only ever generate the gidNumber value if ldap_auto_private_groups is set to True
sssd.conf: [domain/default] id_provider = ldap ldap_uri = ldap://pdc.lkkm/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = dc=pdc,dc=lkkm ldap_default_bind_dn = <DN> ldap_default_authtok_type = password ldap_default_authtok = <password> ldap_user_search_base = cn=Users,dc=pdc,dc=lkkm ldap_user_home_directory = unixHomeDirectory ldap_user_object_class = person ldap_group_search_base = dc=PosixGroups,dc=pdc,dc=lkkm ldap_group_object_class = group
auth_provider = krb5 chpass_provider = krb5 krb5_server = pdc.lkkm krb5_kpasswd = pdc.lkkm krb5_realm = PDC.LKKM krb5_store_password_if_offline = False krb5_ccname_template = KEYRING:persistent:%{uid} krb5_auth_timeout = 15 _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
I would start with comparing logs for a 'working' and a 'non-working' client. The config looks OK to me and in general the plain LDAP provider should only ever generate the gidNumber value if ldap_auto_private_groups is set to True
Thanks for answer! There was a local user with same login. Such a silly reason...
sssd-users@lists.fedorahosted.org