Hello,
I am switching our SSSD to use the AD provider but have found that the setup has issues with group membership.
The following is my domain configuration:
[domain/<DOMAIN>]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_access_filter = (memberOf=<FILTER>)
ad_hostname = <CLIENT_HOST>
ad_domain = <DOMAIN>
dns_discovery_domain = <DOMAIN>
ldap_id_mapping = false
ldap_sasl_mech = GSSAPI
ldap_referrals = false
dyndns_update = false
cache_credentials = true
enumerate = false
ldap_purge_cache_timeout = 0
This setup works just not completely, user authentication and user/group lookups work. However if I attempt to list full group membership of a user (“id user” or “groups user”), then I am provided with only
the primary group. Interestingly if I do the following: clear user from cache, lookup group, lookup user, then the information indicates the primary group and additional group.
We utilise an AllowGroups restriction within SSHD which fails, claiming the user isn’t in the group.
Any suggests would be welcome.
Thanks
Mark
------------------------------------------------------------------------
Mark Sangster
Server Infrastructure Specialist
Information Technology Services | University of Aberdeen
t: +44 (0)1224 27-3315 | e:
mark@abdn.ac.uk | u:
http://www.abdn.ac.uk/it/