Hi Folks
in our project, there is already one legacy openldap server runing. we managed the user and groups with posixAccount and posixGroup.
recently, we setup ssh ldap integration with sssd, we can login to the linux box with ldap user credentials, so far so good. except one thing, we found there are some groups name are too long (large than 32 char) which violate the 32 char unix group name length contraints according to "groupadd" man page.
we can't modiy the attribute "cn" of posixGroup since it's already used in other integrated system. so i'm wondering, is there any way to map the unix group name to something else, rather than the defualt attribute "cn"? i did search the sssd conf manual, nothing found, so i'd like to consult you here.
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On 07/31/2014 09:56 PM, XuQing Tan wrote:
Hi Folks
in our project, there is already one legacy openldap server runing. we managed the user and groups with posixAccount and posixGroup.
recently, we setup ssh ldap integration with sssd, we can login to the linux box with ldap user credentials, so far so good. except one thing, we found there are some groups name are too long (large than 32 char) which violate the 32 char unix group name length contraints according to "groupadd" man page.
we can't modiy the attribute "cn" of posixGroup since it's already used in other integrated system. so i'm wondering, is there any way to map the unix group name to something else, rather than the defualt attribute "cn"? i did search the sssd conf manual, nothing found, so i'd like to consult you here.
Thanks & Best Regards!
/// (. .)
--------ooO--(_)--Ooo-------- | Nick Tan |
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
see man sssd-ldap
ldap_group_name (string) The LDAP attribute that corresponds to the group name.
Default: cn
Hi
i set the ldap_group_name = description in the sssd domain section. (i want to map to 'description' rather than 'cn') i cleaned the sssd cache file and restart sssd service when i typed "id <user_id>", it still displayed the groupname as the "cn"
i'm using sssd 1.9.2 on CentOS 6.3: [root]# rpm -qa|grep sssd sssd-client-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64
is it a defect?
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Fri, Aug 1, 2014 at 10:03 AM, Dmitri Pal dpal@redhat.com wrote:
On 07/31/2014 09:56 PM, XuQing Tan wrote:
Hi Folks
in our project, there is already one legacy openldap server runing. we managed the user and groups with posixAccount and posixGroup.
recently, we setup ssh ldap integration with sssd, we can login to the linux box with ldap user credentials, so far so good. except one thing, we found there are some groups name are too long (large than 32 char) which violate the 32 char unix group name length contraints according to "groupadd" man page.
we can't modiy the attribute "cn" of posixGroup since it's already used in other integrated system. so i'm wondering, is there any way to map the unix group name to something else, rather than the defualt attribute "cn"? i did search the sssd conf manual, nothing found, so i'd like to consult you here.
Thanks & Best Regards!
/// (. .)
--------ooO--(_)--Ooo-------- | Nick Tan |
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
see man sssd-ldap
ldap_group_name (string) The LDAP attribute that corresponds to the group name. Default: cn
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Sat, Aug 02, 2014 at 07:28:53AM +0800, XuQing Tan wrote:
Hi
i set the ldap_group_name = description in the sssd domain section. (i want to map to 'description' rather than 'cn') i cleaned the sssd cache file and restart sssd service when i typed "id <user_id>", it still displayed the groupname as the "cn"
i'm using sssd 1.9.2 on CentOS 6.3: [root]# rpm -qa|grep sssd sssd-client-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64
is it a defect?
Hard to tell without seeing the configuration and domain and sssd logs with debug_level=6 or higher.
Hi
sorry for coming back late
one correction that, it's ok to define a long group name in "cn" of objectClass posixGroup, it won't lead any issue when login the user via sssd ldap integration.
but have the otherthing want to confirm: i set the "ldap_group_name = description", and set the value of "desciption" different with "cn", for example: cn=my-testing-group-at-world-wide-space description=test-group
the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space)
it still use the value of "cn"
but, if i set access_provider = simple # specify the long group name (as in 'cn') simple_allow_groups = my-testing-group-at-world-wide-space
the usre 'nick' can't login (with error message incorrect password)
if i set to access_provider = simple # specify short group name (as in 'description') simple_allow_groups = test-group
the user 'nick' can login now.
so looks like there is some mismatch.
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Mon, Aug 4, 2014 at 8:48 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Sat, Aug 02, 2014 at 07:28:53AM +0800, XuQing Tan wrote:
Hi
i set the ldap_group_name = description in the sssd domain section. (i
want
to map to 'description' rather than 'cn') i cleaned the sssd cache file and restart sssd service when i typed "id <user_id>", it still displayed the groupname as the "cn"
i'm using sssd 1.9.2 on CentOS 6.3: [root]# rpm -qa|grep sssd sssd-client-1.9.2-129.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64
is it a defect?
Hard to tell without seeing the configuration and domain and sssd logs with debug_level=6 or higher. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
i cleaned the cache: sudo service sssd stop rm -f /var/lib/sss/db/cache_*.ldb sudo service sssd start
but got the same result, still display the "cn" as group name in command output
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Fri, Aug 8, 2014 at 4:12 PM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Fri, 8 Aug 2014, XuQing Tan wrote:
so looks like there is some mismatch.
I reckon you've not cleared the cache. Do you get the same result after doing:
sss_cache -E
jh
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Aug 08, 2014 at 04:30:13PM +0800, XuQing Tan wrote:
i cleaned the cache: sudo service sssd stop rm -f /var/lib/sss/db/cache_*.ldb sudo service sssd start
but got the same result, still display the "cn" as group name in command output
Can you also attach the domain logs?
Put: debug_level=7
into the [nss] and [domain] sections, restart sssd, run your test and then attache the logs.
The option mappings are visible right after SSSD starts.
Hi Jackub
attached is the sssd domain log, in the log i only saw the short group name "test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Fri, Aug 8, 2014 at 9:15 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Aug 08, 2014 at 04:30:13PM +0800, XuQing Tan wrote:
i cleaned the cache: sudo service sssd stop rm -f /var/lib/sss/db/cache_*.ldb sudo service sssd start
but got the same result, still display the "cn" as group name in command output
Can you also attach the domain logs?
Put: debug_level=7
into the [nss] and [domain] sections, restart sssd, run your test and then attache the logs.
The option mappings are visible right after SSSD starts. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Sat, Aug 09, 2014 at 07:44:58AM +0800, XuQing Tan wrote:
Hi Jackub
attached is the sssd domain log, in the log i only saw the short group name "test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks for the logs, they seem about right to me: (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [ou=Groups,o=example.com] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=nick)(objectclass=posixGroup)(description=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=Groups,o=example.com]. (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [description] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4 (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [description] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp]
You can see that the description attribute was requested. I will run a local test first, perhaps we can proceed with some more debugging then.
On Mon, Aug 11, 2014 at 09:03:17AM +0200, Jakub Hrozek wrote:
On Sat, Aug 09, 2014 at 07:44:58AM +0800, XuQing Tan wrote:
Hi Jackub
attached is the sssd domain log, in the log i only saw the short group name "test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks for the logs, they seem about right to me: (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [ou=Groups,o=example.com] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=nick)(objectclass=posixGroup)(description=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=Groups,o=example.com]. (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [description] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4 (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [description] (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp]
You can see that the description attribute was requested. I will run a local test first, perhaps we can proceed with some more debugging then.
Sorry, works for me fine here. Are you sure you don't have a group with the same GID on the system in /etc/group or in another domain?
Can you run a more isolated test?
service sssd stop rm -f /var/lib/sss/db/cache_* service sssd start getent group -s -sss $groupname_in_description
If you still don't see the groupname you'd expect, can you examine the cache?
yum -y install ldb-tools ldbsearch -H /var/lib/sss/db/cache_$domain.ldb objectclass=group
The last command should show the group entry exactly as stored in the cache.
Hi Jackub
here is the output:
[root@10-0-0-84 ~]# ldbsearch -H /var/lib/sss/db/cache_hp.com.ldb objectclass=group *asq: Unable to register control with rootdse!* # returned 0 records # 0 entries # 0 referrals [root@10-0-0-84 ~]# id nick@example.com uid=15001(xiao-liang.xu) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) [root@10-0-0-84 ~]# getent group -s -sss test-group [root@10-0-0-84 ~]#
[root@10-0-0-84 ~]# ssh -l nick@example.com localhost Password: nick@example.com@localhost's password: Connection closed by ::1 [root@10-0-0-84 ~]#
the "Connection closed by..." is because of the sssd conf:
access_provider = simple # specify the long group name (as in 'cn') simple_allow_groups = my-testing-group-at-world-wide-space
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Mon, Aug 11, 2014 at 3:40 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Aug 11, 2014 at 09:03:17AM +0200, Jakub Hrozek wrote:
On Sat, Aug 09, 2014 at 07:44:58AM +0800, XuQing Tan wrote:
Hi Jackub
attached is the sssd domain log, in the log i only saw the short group
name
"test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks for the logs, they seem about right to me: (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [ou=Groups,o=example.com]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=nick)(objectclass=posixGroup)(description=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=Groups,o= example.com].
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimestamp]
You can see that the description attribute was requested. I will run a local test first, perhaps we can proceed with some more debugging then.
Sorry, works for me fine here. Are you sure you don't have a group with the same GID on the system in /etc/group or in another domain?
Can you run a more isolated test?
service sssd stop rm -f /var/lib/sss/db/cache_* service sssd start getent group -s -sss $groupname_in_description
If you still don't see the groupname you'd expect, can you examine the cache?
yum -y install ldb-tools ldbsearch -H /var/lib/sss/db/cache_$domain.ldb objectclass=group
The last command should show the group entry exactly as stored in the cache. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, Aug 11, 2014 at 05:12:26PM +0800, XuQing Tan wrote:
Hi Jackub
here is the output:
[root@10-0-0-84 ~]# ldbsearch -H /var/lib/sss/db/cache_hp.com.ldb objectclass=group *asq: Unable to register control with rootdse!* # returned 0 records # 0 entries # 0 referrals
This is really strange, because this means no groups at all are present in the cache..
[root@10-0-0-84 ~]# id nick@example.com uid=15001(xiao-liang.xu) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) [root@10-0-0-84 ~]# getent group -s -sss test-group
Can you send the corresponding nss and domain logs for this lookup?
Are you really sure the results of id are coming from sssd? Are you sure there is no other module preceding sss in nsswitch.conf or the same user in UNIX files?
[root@10-0-0-84 ~]#
[root@10-0-0-84 ~]# ssh -l nick@example.com localhost Password: nick@example.com@localhost's password: Connection closed by ::1 [root@10-0-0-84 ~]#
the "Connection closed by..." is because of the sssd conf:
access_provider = simple # specify the long group name (as in 'cn') simple_allow_groups = my-testing-group-at-world-wide-space
Thanks & Best Regards!
/// (. .)
--------ooO--(_)--Ooo-------- | Nick Tan |
On Mon, Aug 11, 2014 at 3:40 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Aug 11, 2014 at 09:03:17AM +0200, Jakub Hrozek wrote:
On Sat, Aug 09, 2014 at 07:44:58AM +0800, XuQing Tan wrote:
Hi Jackub
attached is the sssd domain log, in the log i only saw the short group
name
"test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks for the logs, they seem about right to me: (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [ou=Groups,o=example.com]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=nick)(objectclass=posixGroup)(description=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=Groups,o= example.com].
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimestamp]
You can see that the description attribute was requested. I will run a local test first, perhaps we can proceed with some more debugging then.
Sorry, works for me fine here. Are you sure you don't have a group with the same GID on the system in /etc/group or in another domain?
Can you run a more isolated test?
service sssd stop rm -f /var/lib/sss/db/cache_* service sssd start getent group -s -sss $groupname_in_description
If you still don't see the groupname you'd expect, can you examine the cache?
yum -y install ldb-tools ldbsearch -H /var/lib/sss/db/cache_$domain.ldb objectclass=group
The last command should show the group entry exactly as stored in the cache. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub
attached is the log files, and blow is the commands sequence:
[root@10-0-0-84 ~]# service sssd stop Stopping sssd: [ OK ] [root@10-0-0-84 ~]# rm -f /var/lib/sss/db/cache_*.ldb [root@10-0-0-84 ~]# service sssd start Starting sssd: [ OK ] [root@10-0-0-84 ~]# id nick@example.com uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) [root@10-0-0-84 ~]# getent group -s -sss my-testing-group-at-world-wide-space [root@10-0-0-84 ~]# getent group -s -sss test-group [root@10-0-0-84 ~]#
Thanks & Best Regards!
/// (. .) --------ooO--(_)--Ooo-------- | Nick Tan | ------------------------------------
On Mon, Aug 11, 2014 at 5:32 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Aug 11, 2014 at 05:12:26PM +0800, XuQing Tan wrote:
Hi Jackub
here is the output:
[root@10-0-0-84 ~]# ldbsearch -H /var/lib/sss/db/cache_hp.com.ldb objectclass=group *asq: Unable to register control with rootdse!* # returned 0 records # 0 entries # 0 referrals
This is really strange, because this means no groups at all are present in the cache..
[root@10-0-0-84 ~]# id nick@example.com uid=15001(xiao-liang.xu) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) [root@10-0-0-84 ~]# getent group -s -sss test-group
Can you send the corresponding nss and domain logs for this lookup?
Are you really sure the results of id are coming from sssd? Are you sure there is no other module preceding sss in nsswitch.conf or the same user in UNIX files?
[root@10-0-0-84 ~]#
[root@10-0-0-84 ~]# ssh -l nick@example.com localhost Password: nick@example.com@localhost's password: Connection closed by ::1 [root@10-0-0-84 ~]#
the "Connection closed by..." is because of the sssd conf:
access_provider = simple # specify the long group name (as in 'cn') simple_allow_groups = my-testing-group-at-world-wide-space
Thanks & Best Regards!
/// (. .)
--------ooO--(_)--Ooo-------- | Nick Tan |
On Mon, Aug 11, 2014 at 3:40 PM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Aug 11, 2014 at 09:03:17AM +0200, Jakub Hrozek wrote:
On Sat, Aug 09, 2014 at 07:44:58AM +0800, XuQing Tan wrote:
Hi Jackub
attached is the sssd domain log, in the log i only saw the short
group
name
"test-group" the command "id nick" output: uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) thanks
Thanks for the logs, they seem about right to me: (Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with
base
[ou=Groups,o=example.com]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=nick)(objectclass=posixGroup)(description=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=Groups,o=
example.com].
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x11b1a80], connected[1], ops[0x126ecc0], ldap[0x11b1f80]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_parse_range]
(0x2000): No sub-attributes for [description]
(Fri Aug 8 23:39:17 2014) [sssd[be[example.com]]]
[sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimestamp]
You can see that the description attribute was requested. I will run
a
local test first, perhaps we can proceed with some more debugging
then.
Sorry, works for me fine here. Are you sure you don't have a group with the same GID on the system in /etc/group or in another domain?
Can you run a more isolated test?
service sssd stop rm -f /var/lib/sss/db/cache_* service sssd start getent group -s -sss $groupname_in_description
If you still don't see the groupname you'd expect, can you examine the cache?
yum -y install ldb-tools ldbsearch -H /var/lib/sss/db/cache_$domain.ldb objectclass=group
The last command should show the group entry exactly as stored in the cache. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Aug 12, 2014 at 02:17:29PM +0800, XuQing Tan wrote:
Hi Jakub
attached is the log files, and blow is the commands sequence:
[root@10-0-0-84 ~]# service sssd stop Stopping sssd: [ OK ] [root@10-0-0-84 ~]# rm -f /var/lib/sss/db/cache_*.ldb [root@10-0-0-84 ~]# service sssd start Starting sssd: [ OK ] [root@10-0-0-84 ~]# id nick@example.com uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space)
I see this request in the logs
[root@10-0-0-84 ~]# getent group -s -sss my-testing-group-at-world-wide-space [root@10-0-0-84 ~]# getent group -s -sss test-group [root@10-0-0-84 ~]#
But not these. How does your /etc/nsswitch.conf looks like?
Can you re-send yet again with just the getent group requests, without the id request?
Does getent group -s files 20000 return anything?
Can you strace the getent group -s sss command?
On (12/08/14 14:17), XuQing Tan wrote:
Hi Jakub
attached is the log files, and blow is the commands sequence:
[root@10-0-0-84 ~]# service sssd stop Stopping sssd: [ OK ] [root@10-0-0-84 ~]# rm -f /var/lib/sss/db/cache_*.ldb [root@10-0-0-84 ~]# service sssd start Starting sssd: [ OK ] [root@10-0-0-84 ~]# id nick@example.com uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space) [root@10-0-0-84 ~]# getent group -s -sss my-testing-group-at-world-wide-space [root@10-0-0-84 ~]# getent group -s -sss test-group
^ this character should not be there
sh-4.2$ getent passwd -s -sss usersssd01 sh-4.2$ echo $? 2 sh-4.2$ getent passwd -s sss usersssd01 usersssd01:*:325600011:325600011:sssd user:/home/usersssd01/:/bin/sh
LS
sssd-users@lists.fedorahosted.org