Sorry for answering so late - needed some vacation :)
Here problem still stays open...
On Wed, Sep 09, 2015 at 08:52:00PM +0000, Longina Przybyszewska
wrote:
> Hi,
> We have a problem after upgrade from 11.7 to 12.5 version Identity
> lookups periodically change from short name to fully qualified name for
users from trust domains.
> In turn, users get lockout of files, or can not login because nfsidmap setup
can't figure out id mapping.
>
> This setup worked in 11.7 version
> (+several domains identically configured) [
domain/A.C.DOM.ORG]
> debug_level = 9 cache_credentials = true id_provider = ad
> dyndns_update = false access_provider = ad auth_provider = ad
> chpass_provider = ad ad_domain =
a.c.dom.org krb5_realm =
A.C.DOM.ORG
> use_fully_qualified_names = false subdomain_provider = none
> ldap_id_mapping = false krb5_lifetime = 10h krb5_renewable_lifetime =
> 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled
> ad_gpo_default_right = permit
>
>
> With my new setup - Ids from trust domains can't resolve as short names.
Can you give an example? Are you saying for a user in domain "N.C.DOM",
'getent passwd user' wouldn't resolve the user?
Yes.
nuser - user from
n.c.dom.org
getent passwd nuser
getent passwd nuser(a)n.c.dom.org
nuser@n.c.dom.org:*:10002:30000000:xxxxxx:/home/nuser:/bin/bash
id nuser
id: nuser: no such user
id nuser(a)nat.c.sdu.dk
uid=10002(nuser(a)n.c.dom.org) gid=30000000(lnx-primary)
groups=30000000(lnx-primary),30000003(lnx-ladm-servers),...
auser - user from
a.c.dom.org
getent passwd auser
auser:*:10007:8888:xxxxx:/home/auser:/bin/bash
id auser
uid=10007(auser) gid=8888(nfs4users(a)n.c.dom.org)
groups=8888(nfs4users@n.c.dom.org),30000000(lnx-primary),6666(nfs4users2@n.c.dom.org),9002(lnx-nfs4users2@c.dom.org),30000001(lnx-web3-www),9999(usr-glu(a)c.dom.org)
My sssd.conf is:
[nss]
debug_level = 9
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 9
domains =
A.C.DOM.ORG,
C.DOM.ORG,
N.C.DOM.ORG
config_file_version = 2
services = nss, pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/A.C.DOM.ORG]
debug_level = 10
cache_credentials = true
id_provider = ad
dyndns_update = true
ad_hostname =
adm-lnx432.a.c.dom.org
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_user_name = sAMAccountName
ad_site = DOM
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 1h
ad_gpo_access_control = disabled
ad_gpo_default_right = permit
dyndns_update_ptr = true
If that's the case, we need logs..
Which logs would you like to see - and what debugging level?
Longina
> Only ids from native for client machine domain do.
> Cross realm group membership resolves fine.