On Tue, Sep 22, 2015 at 07:41:20AM +0000, Guillaume Polaert wrote:
>-----Message d'origine-----
>De : sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] De la part de Sumit Bose
>Envoyé : lundi 21 septembre 2015 18:17
>À : End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
>Objet : Re: [SSSD-users] sssd-ad + ldap mapping uid issue
>
>On Mon, Sep 21, 2015 at 03:51:13PM +0000, Guillaume Polaert wrote:
>> Hi everyone,
>>
>> I'm using sssd-ad and I have unexpected behaviour with the ldap_mapping_id
module.
>> I'll try to be clear as possible :)
>>
>> The unexpected behaviour concerned Group ID, they are inconsistency.
>> For any reason, at any moment GIDs can be changed.
>>
>> The AD contains about 10 domains, and 200 000 users. Domain RIDs can be very
large.
>> I override the min, max, and slice values to extend the available window.
>> I've also set a default domain sid in order to be sure one (the main) domain
will be consistency.
>>
>> But it doesn't work.
>> What can be the origin of GIDs overwriting?
>>
>> Maybe, I have a problem with my configuration file.
>>
>> /etc/sssd/sssd.conf
>> [sssd]
>> config_file_version = 2
>> services = nss, pam, sudo
>> domains = LDAP, domain.ad
>>
>> [nss]
>> filter_groups = root,ldap,named,avahi,haldaemon,dbus,...
>> filter_users = root,ldap,named,avahi,haldaemon,dbus, ...
>>
>> [pam]
>>
>> [sudo]
>>
>> [domain/LDAP]
>> id_provider = ldap
>> sudo_provider = ldap
>> auth_provider = ldap
>> cache_credentials = True
>> ldap_uri = ldaps://ldap1:636
>> ldap_tls_cacert = /etc/openldap/cacerts/ldap_rootca.pem
>> ldap_tls_reqcert = hard
>> ldap_default_bind_dn = ...
>> ldap_default_authtok_type = obfuscated_password ldap_default_authtok =
>> ...
>> ldap_search_base = base_dn
>> enumerate = True
>> ldap_referrals = False
>> ldap_schema = rfc2307
>> ldap_sudo_search_base = base_dn
>>
>>
>> [domain/domain.ad]
>> id_provider = ldap
>
>it there a reason why you use 'ldap' here and not 'ad'?
No reason, it's just a rest of the previous configuration. However, I have the same
behaviour with ad instead of ldap.
>Can you give examples how the GID changes?
For sure,
at the startup (rm -fr /var/lib/sss/{db,mc}*)
getent group grp_user_1
grp_user_1:*:870781:user1,user2 ....
And at later,
getent group grp_user_1
grp_user_1:*:10584321:user1,user2 ....
Thank you for checking with the ad provider as well. Full SSSD logs are
needed here. Please find details about how to enable logging at
https://fedorahosted.org/sssd/wiki/Troubleshooting . If you prefer feel
free to send the logs to me directly. Ideally the logs should cover the
time from startup until the gid changes.
bye,
Sumit
Guillaume
>bye,
>Sumit
>