On Fri, Apr 19, 2013 at 07:39:52AM +0200, steve wrote:
Hi Test performed using domain group staff (there is no local group called staff). User steve3 is not a member of staff.
Hi steve,
thank you for the patience.
method: On the client:
- steve3 logs in
- id
- logs out On the DC
- sudo samba-tool group addmembers staff steve3
- confirm: sudo samba-tool group listmembers staff
check: steve3 has a member attribute under the DN for staff Back on the client
- steve3 logs in
- id
- getent group staff
- logs out
- sudo service sssd stop
- tar made of the log files
This is an absolutely valid test and one that our QE performs regularly when qulifying a new release.
result: On the second login, id shows that steve3 is not recognised as a staff group member.
conclusion: sssd has not read the user information from LDAP
And the reason seems to be an SSSD crash after referrals from the Samba DC have been chased, so the new group information *has* been requested, but the request never ran to completion. I don't think we did much (if any) testing against a Samba 4 DC, so it's entirely possible the server is behaving in some strange way the client doesn't expect.
Can you try getting a core file using the tips me and Timo Aaltonen gave earlier in the thread?
As a temporary workaround, you can try setting ldap_referrals = False in sssd.conf to stop sssd from chasing referrals.
The logs at debug_level = 9 are here: https://dl.dropboxusercontent.com/u/45150875/sssd.client.log.tar
Thanks, the logs have been very helpful.
Please note that entry_cache_timeout has no effect on these findings
/etc/sssd/sssd.conf [sssd] debug_level = 9 services = nss, pam config_file_version = 2 domains = default
[nss] debug_level = 9
[pam] debug_level = 9
[domain/default] debug_level = 9 ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE #entry_cache_timeout = 10 cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = DOLORES.SITE krb5_server = doloresdc.dolores.site krb5_kpasswd = doloresdc.dolores.site
ldap_uri = ldap://doloresdc.dolores.site/ ldap_search_base = dc=dolores,dc=site #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=dolores,dc=site ldap_group_name = cn ldap_group_member = member
ldap_sasl_mech = gssapi ldap_sasl_authid = ALGORFA$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
Thanks for your time, Steve