sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 7 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
3 years, 10 months
SSSD for one-way trusted AD domain
by Ondrej Valousek
Hi List,
Question, we have joined machine into AD domain B. This domain has one way trust to domain A. No direct connection from domain B network to DCs in domain A is possible.
Can we use SSSD to authenticate members in domain A.
In windows, this works - but can't get it working in Linux via SSSD (Fedora 25, used realmd for AD join).
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
5 years, 4 months
SSSD and SUDO not working
by Andrea Passuello
Hi all,
I use SSSD with OpenLDAP and I am able to authenticate users.
I am trying to configure SSSD for managing and caching sudo but I can't use
sudo and the system reply me with this:
Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root
on MACHINE.
This is my sssd.conf
[nss]
filter_groups = root,andrea
filter_users = root,andrea
reconnection_retries = 3
debug_level = 4
[pam]
reconnection_retries = 3
debug_level = 4
offline_credentials_expiration = 90
[sudo]
debug_level = 7
# valori di default in secondi
#ldap_sudo_full_refresh_interval=21600
#ldap_sudo_smart_refresh_interval=900
ldap_sudo_full_refresh_interval=10
ldap_sudo_smart_refresh_interval=10
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
domains = mydomain.com
[domain/mydomain.com]
debug_level = 7
cache_credentials = true
account_cache_expiration = 90
# With this as false, a simple "getent passwd" for testing won't work. You
must do getent passwd user(a)domain.com
# enumerate = false
enumerate = true
id_provider = ldap
auth_provider = ldap
access_provider = ldap
sudo_provider = ldap
# chpass_provider = ldap
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_uri = ldap://LDAPSERVER
ldap_search_base = dc=mydomain,dc=com
ldap_access_filter = (uidNumber=*)
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
This is my nssswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
sudoers: files sss
This is the log's output
tail -f /var/log/auth.log /var/log/sssd/sssd_sudo.log
/var/log/sssd/sssd_widegroup.eu.log
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: pam_unix(sudo:auth): authentication
failure; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost=
user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_get_account_info]
(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[dc=mydomain,dc=eu]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(!
(uidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginExpirationTime]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Save user
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_primary_name]
(0x0400): Processing object MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Processing user MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Original memberOf is not available for [MYUSER].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): User principal is not available for [MYUSER].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Storing info for user MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base
[dc=mydomain,dc=eu]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)(
&(gidNumber=*)(!(gidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=netsudo,ou=groups,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_done]
(0x0400): Primary group already cached, nothing to do.
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): domain: mydomain.com
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): user: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): service: sudo
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): tty: /dev/pts/7
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): rhost:
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): authtok type: 1
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): priv: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): cli_pid: 7144
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): logon name: not set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_port_status]
(0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_resolve_server_process] (0x0200): Found address for server LDAPSERVER:
[xxx.xxx.xxx.xxx] TTL 2222
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_uri_callback]
(0x0400): Constructed uri 'ldap://LDAPSERVER'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sss_ldap_init_send]
(0x0400): Setting 6 seconds timeout for connecting
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://LDAPSERVER:389/??base] with fd [24].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_connect_done]
(0x0080): START TLS result: Success(0), (null)
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'LDAPSERVER' as 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as
'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_send]
(0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=mydomain,dc=eu
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done]
(0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done]
(0x0400): Bind result: Success(0), no errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_pam_auth_done]
(0x0100): Password successfully cached for MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: pam_sss(sudo:auth): authentication
success; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost=
user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): domain: mydomain.com
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): user: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): service: sudo
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): tty: /dev/pts/7
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): rhost:
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): priv: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): cli_pid: 7144
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): logon name: not set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_send]
(0x0400): Performing access check for user [MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_send] (0x0400): Performing access filter check for user
[MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][
uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_done] (0x0400): Access granted by online lookup
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not
sending the request to it.
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: MYUSER : command not allowed ;
TTY=pts/7 ; PWD=/home/MYUSER ; USER=root ; COMMAND=/usr/bin/apt-get update
==> /var/log/sssd/sssd_sudo.log <==
(Wed Nov 8 15:50:46 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Please, could you help me to understand what's wrong?
Many thanks in advance and any help is appreciated.
Regards.
--
Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
files allegati, sono da considerarsi strettamente riservati. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nello stesso. Costituisce violazione ai principi dettati
dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle
comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
ricevuto questo messaggio senza esserne il destinatario La preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami
o può scrivere a reclami(a)widegroup.eu. Grazie.
--
This message is confidential. It may also be privileged or otherwise
protected by work, product, immunity or other legal rules. If you have
received it by mistake, please let us know by e-mail reply and delete it
from your system; you may not copy this message or disclose its contents to
anyone. The integrity and security of this message cannot be guaranteed on
the Internet. If you want to submit a formal complaint, you can find
information and support on our website www.widegroup.eu/reclami or writing
to reclami(a)widegroup.eu. Thank you.
5 years, 9 months
ad_access_filter question
by Conwell, Nik
Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a CentOS7 and pull our AD entries successfully but am having troubles with ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine account, I don't get anything back. Note that if this query was done in the context of the user just logging in ("nik") then it would work since I have the privs to see my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as the machine account.
I've also played around with doing a filter like "(&(objectCategory=group)(CN=group-of-admins))" which does actually return a list of "member:" entries for an ldapsearch when using the machine account privs. However, if I plug this into ad_access_filter, it's not allowing access I think because of the (&sAMAccountName=…) being a query of a user object whereas the group query is a group object and the filter isn't being satisfied. From looking at the code I think it's not designed to handle being returned an object which has a list of "member:" entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about restricting access to groups in cases where machine accounts aren't allowed access to the memberOf information for users? Is there a way to get it via a group filter, or should/could the memberOf query be done under the context and privs of the user accessing it? (I guess that would have implications on caching though…)
Any ideas or suggestions which direction I should go with this? Thanks in advance.
Nik Conwell
Boston University
nik(a)bu.edu<mailto:nik@bu.edu>
5 years, 10 months
group naming help
by Zane Zakraisek
Hi, I'm looking at migrating my Red Hat 7.4 machines off nslcd and onto
sssd.
I've got a very simple sssd.conf here running SSSD 1.15.2.
[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam
[domain/my.domain]
ad_domain = my.domain
krb5_realm = MY.DOMAIN
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = false
ldap_id_mapping = false
access_provider = ad
#enumerate = true
A lot of my groups have a samAccountName that differs from their cn.
I've noticed that I can't seem to get consistent group names.
When running 'ls -l', it seems like some files show the samAccountName
of the group, others show the cn of the group.
Running 'groups' or 'id $USER' always shows the samAccountName.
Is there a way that I can get SSSD to do everything by the cn of the
group?
ZZ
5 years, 10 months
Suggested workarounds for stale kdcinfo.REALM cache file?
by Mark Ignacio
Hey folks,
During an internal reliability test, we recently found out that
/var/lib/sss/pubconf/kdcinfo.${REALM} stays static even when the IP
cached there is unreachable or down. During the test, kinit failed
consistently for those unfortunate to have a bad KDC cached.
I found this draft document which would probably solve this issue for
us: https://docs.pagure.org/SSSD.sssd/design_pages/kerberos_locator_red
esign.html
But until said redesign happens, I'm thinking about workarounds. One
idea is symlinking that file to /dev/null, another would be just
periodically rm-ing it. I'm trying the first today on my laptop and it
seems fine, but I haven't really tested it past that.
Any suggestions?
5 years, 10 months
id -G user only showing primary group
by Jeff Sadowski
I'm running Fedora 26
sssd --version
1.15.3
I am authentication against an Active Directory Domain that has posix
extensions enabled.
All my ubuntu and centos machines are using power broker or winbind to
authenticate to the domain.
I want to transition away from power broker.
I tried using winbind to connect fedora but I end up with issues of it
not using posix extensions from my active directory.
So I tried sssd out and see that users show correctly when I run the command
getent passwd <username>
when using winbind I had to use template for the shell and home
directories which I did not like.
This is not happening on my ubuntu or centos servers with the same config.
There config if it helps is as follows
[global]
security = ads
realm = MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
Since that wasn't working, I uninstalled winbind and reinstalled sssd
(I had removed it while testing samba since I know they can
interfere.)
I used realm to leave and rejoin the domain
It looks like realm rewrote my smb.conf file as such
[global]
security = user
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
template homedir=/na/homes/%U
template shell=/bin/bash
My sssd.conf file looks like so
[sssd]
domains = mind.unm.edu
config_file_version = 2
services = nss, pam
[domain/mind.unm.edu]
ad_domain = mind.unm.edu
krb5_realm = MIND.UNM.EDU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
#ldap_id_mapping = True
ldap_id_mapping = False
#use_fully_qualified_names = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#
debug = 3
I learned with ldap_id_mapping = True I was getting funny uid's and
that interfered with my isilon that is using rfc2307 to our domain.
And I want to login with <username> not <domain>\\<username> so i set
use_fully_qualified_names = False
While reading this
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
under sections:
Common AD provider issues->A group my user is a member of doesn’t
display in the id output
In case the group is not present in the id -G output at all, there is
something up with the initgroups part.
This is the case but I'm not really sure where to go from here.
I set debug on the domain to 3 and my /var/log/sssd/sssd_<domainname>
looks as follows when I run id -G <user>
in this case the user is jsadowski
id -G <username> is only showing the primary group for any user I have tried.
...
(Tue Oct 31 09:16:10 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:11 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]]
[get_access_filter] (0x0010): Warning: LDAP access rule 'filter' is
set, but no ldap_access_filter configured. All domain users will be
denied access.
(Tue Oct 31 09:18:16 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:23:45 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:26:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:36:00 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
...
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_run_online_cb]
(0x0080): Going online. Running callbacks.
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [Subdomains Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Smart Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Full Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [AD machine account password renewal]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[resolv_gethostbyname_done] (0x0040): querying hosts database failed
[5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could
not contact DNS servers
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed:
[5]: [Input/output error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of
current addresses [5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]:
Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]:
Input/output error
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-545
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-544
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-555
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-551
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
attribute](16)[attribute 'member': no matching attribute value while
deleting attribute on
'name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb']
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No
such attribute]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_update_members_ex] (0x0020): Could not remove member
[jsadowski(a)mind.unm.edu] from group
[name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb].
Skipping
(Tue Oct 31 10:16:54 2017) [sssd[be[mind.unm.edu]]]
[sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
5 years, 10 months
what are the causes of Port status of port 389 for server is 'not working'
by Jeremy Monnet
Hi,
I have that error message that I do not understand, because I have 2 ubuntu
servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04). Ubuntu
14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can
list users and groups but I cannot authenticate nor sudo. And I see in the
sssd_domain.log :
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername2>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername2>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done]
(0x1000): Server resolution failed: 5
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Of course, port 389 is indeed reachable, and I have joined and re-joined
the domain several times, deleted the object computer in AD, checked
several times that the keytab was created, and that I could kinit with it...
One thing is that I join a child AD domain and tries to login with an
account from the main domain, that is probably an issue, but as that work
on the other Ubuntu with the same setup, I am stuck...
Thanks,
Jeremy
5 years, 10 months
AD auth with multiple domains
by Jeremy Monnet
Hi,
I am trying to setup an authentication against Active Directory, with
multiple domains, and I haven't been able to find the recommended way to do
it (it is very possible I missed it...), so I am looking for explanation
and advice.
With a master domain example.com, and subdomains sub1.example.com,
sub2.example.com, etc, how would you setup sssd (and the linux system) to
authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests (
my_user(a)example.com), and I want to authenticate on all the servers,
smtp.example.com or proxy.sub1.example.com, etc. I also want on some
computer to authenticate customer's account (my_customer(a)sub1.example.com).
For now, I have 2 different setups :
- on computers from example.com
[sssd]
config_file_version = 2
debug_level =0
domains = example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 8
id_provider = ad
access_provider = ad
ldap_id_mapping = false
#dyndns_update = false
- on computer from sub1.example.com
[sssd]
config_file_version = 2
debug_level =0
domains = sub1.example.com,example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
[domain/sub1.example.com]
enumerate = true
dns_discovery_domain = cy2._sites.sub1.example.com
debug_level = 7
id_provider = ad
access_provider = ad
ldap_id_mapping = false
I join computer to example.com or to sub1.example.com:
adcli join example.com -U my_user(a)EXAMPLE.COM
or
adcli join sub1.example.com -U my_user(a)EXAMPLE.COM
as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a
UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are
the recommended settings for that situation ?
Thanks,
Jeremy
5 years, 10 months
