Hello,

 

I am switching our SSSD to use the AD provider but have found that the setup has issues with group membership.

 

The following is my domain configuration:

 

[domain/<DOMAIN>]

id_provider = ad

auth_provider = ad

access_provider = ad

ad_access_filter = (memberOf=<FILTER>)

ad_hostname = <CLIENT_HOST>

ad_domain = <DOMAIN>

dns_discovery_domain = <DOMAIN>

ldap_id_mapping = false

ldap_sasl_mech = GSSAPI

ldap_referrals = false

dyndns_update = false

cache_credentials = true

enumerate = false

ldap_purge_cache_timeout = 0

 

This setup works just not completely, user authentication and user/group lookups work. However if I attempt to list full group membership of a user (“id user” or “groups user”), then I am provided with only the primary group. Interestingly if I do the following: clear user from cache, lookup group, lookup user, then the information indicates the primary group and additional group.

We utilise an AllowGroups restriction within SSHD which fails, claiming the user isn’t in the group.

 

Any suggests would be welcome.

 

Thanks

Mark

 

------------------------------------------------------------------------

Mark Sangster

Server Infrastructure Specialist

 

Information Technology Services | University of Aberdeen

t: +44 (0)1224 27-3315 | e: mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/



The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.