On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote:
Some more information on my ongoing issue based on the ideas suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the keytab was not initialized. I tried to initialize via the command you provided, but was given an error " kinit: Keytab contains no suitable keys for V-REPO-OP-02$@AD_DOMAIN"
Ah, sorry, I pretty much only read your sssd logs, maybe the principal is different.
Can you show what does "klist -k" say?
I was able to initialize the keytab by using kinit -n UserID.
kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally, the keytab is only accessible to the root user.
Then I was able to perform an ldap search and pull all group membership as well as userid that are members of that group.
Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
Getent group "NWgroupname" still does not work.
Mike Karich
-----Original Message----- From: Karich, Michael Sent: Friday, October 24, 2014 8:10 AM To: 'sssd-users@lists.fedorahosted.org' Subject: RE: [SSSD-users] Getent group not fully working
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd --version.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Friday, October 24, 2014 7:00 AM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 16
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael)
- Re: sssd-users Digest, Vol 30, Issue 15 (steve)
- Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
Message: 1 Date: Thu, 23 Oct 2014 20:39:55 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C2376046BB@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Thursday, October 23, 2014 3:11 PM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 15
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Getent group not fully working (Karich, Michael)
- Re: Getent group not fully working (steve)
- Re: Getent group not fully working (Dmitri Pal)
Message: 1 Date: Thu, 23 Oct 2014 18:36:27 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Getent group not fully working Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C237603A8E@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu