Hi all,

I wonder if it's possible to get a little help/debugging with the config of my sssd.conf for nested group membership.

 

We're using LDAP (provided via an AD 2003 forest and the SFU schema) and Kerberos. It works fine with nss_ldap on RHEL and returns all groups a user is a memberOf.

 

The following msSFU attributes are used (although not populated for all users and groups):

#Users

msSFU30UidNumber

msSFU30GidNumber

msSFU30HomeDirectory

msSFU30LoginShell

 

#Group

msSFU30GidNumber

 

Our sssd.conf (sanitised) is the following:

 

[domain/default]

description = LDAP domain with AD server

 

id_provider = ldap

auth_provider = krb5

hpass_provider = krb5

cache_credentials = True

 

ldap_schema = rfc2307

ldap_id_use_start_tls = False

ldap_uri = ldap://SUB.DOMAIN.COM/

ldap_search_base = dc=SUB,dc=DOMAIN,dc=COM

 

ldap_default_bind_dn = BINDUSER@SUB

ldap_default_authtok_type = password

ldap_default_authtok = PASSWORD

 

ldap_user_object_class = user

ldap_user_search_base = OU=SITEUsers,DC=SUB,DC=DOMAIN,DC=COM

ldap_user_name = sAMAccountName

ldap_user_uid_number = msSFU30UidNumber

ldap_user_gid_number = msSFU30GidNumber

ldap_user_home_directory = msSFU30HomeDirectory

ldap_user_shell = msSFU30LoginShell

ldap_user_fullname = displayName

ldap_user_gecos = displayName

ldap_user_member_of = memberOf

 

ldap_group_search_base = OU=SITEGroups,DC=SUB,DC=DOMAIN,DC=COM

ldap_group_object_class = group

ldap_group_name = cn

ldap_group_gid_number = msSFU30GidNumber

 

ldap_force_upper_case_realm = True

 

ldap_tls_cacertdir = /etc/openldap/cacerts

 

krb5_kpasswd = DC1.SUB.DOMAIN.COM:749

krb5_realm = SUB.DOMAIN.COM

krb5_kdcip = DC1.SUB.DOMAIN.COM:88

 

debug_level=6

 

The  ldap_schema is set at rfc2307 since rfc2307bis does not appear to work at all when calling:

                getent group GROUP_NAME     ---- Returns blank

                getent passwd USER_NAME       ---- Returns all user attributes and the group entry (GID) msSFU30GidNumber but no group name

 

Setting ldap_group_member = member breaks the group name being looked up also on rfc2307 . A minimal configuration doesn't appear to help either.

 

I've attached 4  debug6 files (sanitised).

Two for rfc2307 and two for rfc2307bis - with and without the ldap_group_member being specified.

The Linux command ran was:

                id THE_USER

I would have expected it to output two groups cbu (2004) and comp (2000) for THE_USER.

 

If anyone could shed some light onto why the specification of ldap_group_member is a problem and why nested groups aren't working what I need to do to make it do that'd be fantastic.

Thanks,

 

Chris.