On Wed, Apr 12, 2017 at 1:26 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
[...]
Here is the reason:
> (Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
> [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
> setting GID=0!
So the group was found and saved, but SSSD decided the group is not
eligible to be returned for the OS. This could be because SSSD filtered
the group type (domain-local groups from trusted domains are filtered)
or because the sssd is configured to use POSIX attributes, but the
object doesn't have them.
Increasing the debug_level some more would show more messages,
Thanks Jakub. I have the debug_level at 8 right now. I was wary of turning
it to 9 as that may have outputted a lot of trace messages, but I could
definitely try that and see what messages I get. Should I configure this
domain to not use POSIX attributes? Is that a wise decision and/or
recommended? What settings controls this? I've currently read through the
man pages for sssd.conf, sssd-ldap, sssd-krb5, and sssd-ad. Would you
recommend any other man pages or documentation? Here is my complete
sssd.conf file:
root@ultralisk:/var/log/sssd# cat /etc/sssd/sssd.conf
#########################
# GENERAL SSSD SETTINGS #
#########################
[sssd]
debug_level = 8
config_file_version = 2
services = nss,pam
domains = HARMONYWAVE,WINNT
re_expression = (?P<name>[^@]+)(a)(?P<domain>.+$)
[nss]
debug_level = 8
filter_users = root
filter_groups = root
#fallback_homedir = /home/%u
[pam]
debug_level = 8
pam_verbosity = 1
pam_pwd_expiration_warning = 10
#@@@@@@@@@@@@@@@@@@@@#
#@ HARMONYWAVE DOMAIN SETTINGS @#
#@@@@@@@@@@@@@@@@@@@@#
[domain/HARMONYWAVE]
debug_level = 8
cache_credentials = false
pwd_expiration_warning = 10
#########################
# HARMONYWAVE PROVIDERS #
#########################
auth_provider = krb5
id_provider = ldap
access_provider = simple
chpass_provider = krb5
sudo_provider = ldap
#################################
# HARMONYWAVE KERBEROS SETTINGS #
#################################
krb5_server =
immortal.harmonywave.com
krb5_realm =
HARMONYWAVE.COM
#############################
# HARMONYWAVE LDAP SETTINGS #
#############################
ldap_uri =
ldap://baneling.harmonywave.com
ldap_schema = rfc2307bis
ldap_search_base = dc=harmonywave,dc=com
ldap_user_search_base = ou=People,dc=harmonywave,dc=com
ldap_group_search_base = ou=Group,dc=harmonywave,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=harmonywave,dc=com
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_home_directory = homeDirectory
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_nesting_level = 4
ldap_fullname = cn
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca.harmonywave.com.pem
ldap_id_use_start_tls = true
ldap_sasl_mech = GSSAPI
ldap_pwd_policy = mit_kerberos
#@@@@@@@@@@@@@@@@#
#@ WINNT DOMAIN SETTINGS @#
#@@@@@@@@@@@@@@@@#
[domain/WINNT]
debug_level = 8
use_fully_qualified_names = true
re_expression =
(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))
dns_discovery_domain =
winnt.harmonywave.com
###################
# WINNT PROVIDERS #
###################
auth_provider = ad
id_provider = ad
access_provider = ad
sudo_provider = none
#####################
# WINNT AD SETTINGS #
#####################
ad_domain =
winnt.harmonywave.com
ad_server = _srv_,
firebat.winnt.harmonywave.com
override_homedir = /home/%d/%u
dyndns_update = false
Thanks,
Joshua Schaeffer