We have integrated the SUSE Linux (version 11 Patch level 2) with the Microsoft Active Directory(AD) using the SSSD utility(version 1.9.4) for making AD groups available to the Linux OS subsystem (we do not use SSSD for authentication)
We have added the "sss" as the sources for "passwd", "group", "shadow" within the "/etc/nsswitch.conf" file.
We are facing some inconsistency issues from SSSD while fetching the User/Group information through "id" command. It appears that we are facing this inconsistency only while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller.
Please find the response/output from Linux host (terminal) as below:
1) For Windows Server 2008 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-
DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX),2024985,2356240,2358411,2100126,2115932,2099 968,2337579,1743308,1463380,2100236,1881724,170745 6
As can be seen above, certain GIDs are displayed though these are not relevant to the user.
2) For Windows Server 2003 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-
hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642
(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX)
Below is the configuration of /etc/sssd/sssd.conf
################################################## ############ [sssd] debug_level = 5 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 10 services = nss,pam domains = mytest
[nss] debug_level = 5 filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
[pam] debug_level = 0 reconnection_retries = 3 offline_credentials_expiration = 0 offline_failed_login_attempts = 0 offline_failed_login_delay = 5
[domain/local] id_provider = local min_id = 1 max_id = 499 enumerate = False
[domain/mytest] debug_level = 9 description = Kerberos 5 domain with Active Directory servers id_provider = ldap auth_provider = krb5 access_provider = ldap min_id = 500 enumerate = False timeout = 10 cache_credentials = True entry_cache_timeout = 300 krb5_canonicalize = False
# General ----------------------- # LDAP ldap_uri = ldap://inddelvm25.mytest.com ldap_default_authtok_type = password ldap_default_bind_dn = linux@mytest.com ldap_default_authtok = *******
ldap_id_mapping = True ldap_user_objectsid = objectSid ldap_idmap_range_min = 100000 ldap_idmap_range_max = 2000100000 ldap_idmap_range_size = 2000000000
ldap_access_filter = (cn=*) ldap_user_search_base = DC=mytest,DC=com ldap_group_search_base = DC=mytest,DC=com?subtree?(|(CN=Mygroups-hadoop-*)(CN=Domain Users)) ldap_referrals = False ldap_search_timeout = 20 ldap_network_timeout = 20
# KRB5 chpass_provider = krb5 ldap_force_upper_case_realm = True krb5_server = inddelvm25.mytest.com krb5_realm = mytest.com krb5_store_password_if_offline = True krb5_auth_timeout = 15
# Mapping -------------------- ldap_schema = ad ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_group_name = sAMAccountName ldap_id_use_start_tls = False krb5_kdcip = inddelvm25.mytest.com
################################################## ############
When we set debug level = 5, we get errors like range maximum exceeds the global maximum, no free slices in situations where SSSD is returning the wrong results. When the right results are returned, there are no errors.
Would appreciate your inputs on this issue.
Best Regards, Prajwal Kumar
On Wed, Sep 24, 2014 at 01:08:03AM +0530, Prajwal Kumar wrote:
We have integrated the SUSE Linux (version 11 Patch level 2) with the Microsoft Active Directory(AD) using the SSSD utility(version 1.9.4) for making AD groups available to the Linux OS subsystem (we do not use SSSD for authentication)
We have added the "sss" as the sources for "passwd", "group", "shadow" within the "/etc/nsswitch.conf" file.
We are facing some inconsistency issues from SSSD while fetching the User/Group information through "id" command. It appears that we are facing this inconsistency only while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller.
The fact you're seeing the bug with 2008 but not with 2003 indicates this is a bug in the tokenGroups processing (we only support TGs with 2008 and later).
I would suggest upgrading to 1.9.6 or even better to 1.11.x. There's been quite a few fixes in 1.9.5 and 1.9.6: https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.5 https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.6
Alternatively, you can use: ldap_schema = rfc2307bis instead of: ldap_schema = ad
Unfortunately in the version you're running there's no way to disable tokengroups..
Please find the response/output from Linux host (terminal) as below:
- For Windows Server 2008 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-
DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX),2024985,2356240,2358411,2100126,2115932,2099 968,2337579,1743308,1463380,2100236,1881724,170745 6
As can be seen above, certain GIDs are displayed though these are not relevant to the user.
- For Windows Server 2003 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-
hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642
(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX)
Below is the configuration of /etc/sssd/sssd.conf
################################################## ############ [sssd] debug_level = 5 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 10 services = nss,pam domains = mytest
[nss] debug_level = 5 filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
[pam] debug_level = 0 reconnection_retries = 3 offline_credentials_expiration = 0 offline_failed_login_attempts = 0 offline_failed_login_delay = 5
[domain/local] id_provider = local min_id = 1 max_id = 499 enumerate = False
[domain/mytest] debug_level = 9 description = Kerberos 5 domain with Active Directory servers id_provider = ldap auth_provider = krb5 access_provider = ldap min_id = 500 enumerate = False timeout = 10 cache_credentials = True entry_cache_timeout = 300 krb5_canonicalize = False
# General ----------------------- # LDAP ldap_uri = ldap://inddelvm25.mytest.com ldap_default_authtok_type = password ldap_default_bind_dn = linux@mytest.com ldap_default_authtok = *******
ldap_id_mapping = True ldap_user_objectsid = objectSid ldap_idmap_range_min = 100000 ldap_idmap_range_max = 2000100000 ldap_idmap_range_size = 2000000000
ldap_access_filter = (cn=*) ldap_user_search_base = DC=mytest,DC=com ldap_group_search_base = DC=mytest,DC=com?subtree?(|(CN=Mygroups-hadoop-*)(CN=Domain Users)) ldap_referrals = False ldap_search_timeout = 20 ldap_network_timeout = 20
# KRB5 chpass_provider = krb5 ldap_force_upper_case_realm = True krb5_server = inddelvm25.mytest.com krb5_realm = mytest.com krb5_store_password_if_offline = True krb5_auth_timeout = 15
# Mapping -------------------- ldap_schema = ad ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_group_name = sAMAccountName ldap_id_use_start_tls = False krb5_kdcip = inddelvm25.mytest.com
################################################## ############
When we set debug level = 5, we get errors like range maximum exceeds the global maximum, no free slices in situations where SSSD is returning the wrong results. When the right results are returned, there are no errors.
Would appreciate your inputs on this issue.
Best Regards, Prajwal Kumar
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org