Thanks for the assistance.
In one of the setups, with Version 1.12.4, we were able to resolve this by
adding ldap_use_tokengroups = False
to sssd/conf. (
https://fedorahosted.org/sssd/ticket/2472)
After adding this, all the group names are being resolved correctly and
only GID's are being recorded.(No SID's). Since it's now resolving names
correctly, sudo works as well.
On another machine, with the exact same version, this change did not work
as expected. It does pull only GID's now for the "id" command, but a
majority of the group names are not resolved(Only GID is displayed). I've
compared all the configurations files and they are identical. Both are
looking at the same domain controller and have same ldap search base
configured in sssd.conf. Also cleared the cache but "id" result stays the
same.
The only difference between these two is that the first one(where sssd
works fine now) was created with CentOS 6.7/2.6.32-573. The other one was
updated to latest from 6.6/504.
Steps used to Join:
1. Configured krb5.conf
2. Configured smb.conf
3. kinit <username>
4. net ads join -k
5. kinit -k HOSTNAME$
6. net ads keytab create
7. net ads keytab add host/hostname.domain@DOMAIN
Testing the join with "net ads testjoin"
8. Configured sssd.conf
9. authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
10.Configured /etc/nsswitch to use sss for sudo as well. Added "sudoers:
files sss"
11.service sssd start
*SSSD Configuration:*
[sssd]
domains =
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/]
debug_level=4
ad_server =
id_provider = ad
auth_provider = ad
access_provider = ldap
sudo_provider = ad
ldap_id_mapping = true
*ldap_use_tokengroups = False*
ldap_sasl_mech = GSSAPI
krb5_realm =
ldap_uri = ldap://
ldap_sudo_search_base =
ldap_user_search_base =
ldap_user_object_class = user
ldap_group_search_base =
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = memberOf=
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
@ Pavel.. Does Debug level needs to be anything specific. I tried level 4
but did not see anything peculiar in the logs. Probably needs higher. I'll
sanitize logs little bit and will post them here.
Thanks again,
~ Abhi
On Tue, Aug 25, 2015 at 5:34 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (24/08/15 08:38), Pavel Reichl wrote:
>
>
>On 08/21/2015 10:30 PM, Abhijit Tikekar wrote:
>>Hi,
>>
>>This is regarding the AD group name resolution in SSSD.
>>
>>We are using SSSD between CentOS and Microsoft AD. Integration works fine
>>and users are able to authenticate without any issues. For SSSD
>>installation, we were just using the Base repo and using yum to install
the
>>latest version available.
>>
>>Lately we noticed that after user login, the "id" command returns only
the
>>SID's and not the corresponding group name. I checked the installation
and
>>made sure no step was missed. This is causing issues when users use
"sudo"
>>(We have added specific group names under sudoers and the match fails
>>because no group names were returned.. only SID's)
>>
>>Previously this used to work fine(Version 1.11.6). but the version
>>currently being installed via yum is V 1.12.4.
>>
>>I could not find any reference to such behavior online with respect to V
>>1.12.4-47 and hence posting here.Has anyone experience similar issues
with
>>this version?
>>
I'm not aware of any issues with that version and Active Directory.
I also cannot see a reason whyt there should be SID instead of names.
In most cases, there could be just GID without name, but not with SID.
Could you briefly describe steps used to jopind linux machine to AD?
Could you describe hierarchy of you AD servers?
>>Please advise.
>>
>>Thanks,
>>
>>~ Abhi
>>
>>
>Hello, could you please set debug_level in domain section and check logs
in
>/var/log/sssd ? Feel free to obfuscate the logs and share it. Thanks!
Please also provide sssd configuration file (/etc/sssd/sssd.conf)
@see also upstream troubleshooting wiki page
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users