SSSD returns inconsistent results in a AD forest with mixture of 2003 R2 and 2008 R2 based controllers
I'm trying to integrate SUSE Linux (version 11 Patch level 2) with Microsoft Active Directory(AD) using the SSSD version 1.9.4 for making AD groups available to the Linux OS subsystem (SSSD is not used for authentication)
I've added the "sss" as a source for "passwd", "group", "shadow" within the "/etc/nsswitch.conf" file.
I'm seeing SSSD return inconsistent results while fetching the User/Group information through "id" / "getent" commands. It appears that we are facing this inconsistency only while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller.
Please find the response/output from Linux host (terminal) as below:
1) For Windows Server 2008 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX),2024985,2356240,2358411,2100126,2115932,2099 968,2337579,1743308,1463380,2100236,1881724,1707456
As can be seen above, certain GIDs are displayed though these are not relevant to the user. When I query the same user again in the same session, I get the correct results without the additional GIDs. The problem re-appears when the cache has been cleared and the command is re-run.
2) For Windows Server 2003 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX)
The results are always accurate.
Would appreciate your inputs in helping solve this problem in case you have encountered this in your environment.
SSSD config is attached.
Regards, Prajwal
On Wed, Sep 24, 2014 at 10:20:41AM +0530, Prajwal Kumar wrote:
I'm trying to integrate SUSE Linux (version 11 Patch level 2) with Microsoft Active Directory(AD) using the SSSD version 1.9.4 for making AD groups available to the Linux OS subsystem (SSSD is not used for authentication)
I've added the "sss" as a source for "passwd", "group", "shadow" within the "/etc/nsswitch.conf" file.
I'm seeing SSSD return inconsistent results while fetching the User/Group information through "id" / "getent" commands. It appears that we are facing this inconsistency only while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller.
Hi,
I answered yesterday already to another e-mail of yours, see the reply at: https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002214.ht...
(tl;dr - 1.9.4 is not supported upstream and contains known bugs, please upgrade)
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Prajwal Kumar