On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote:
Some more information on my ongoing issue based on the ideas
suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the
keytab was not initialized. I tried to initialize via the command you
provided, but was given an error " kinit: Keytab contains no suitable keys
for V-REPO-OP-02$@AD_DOMAIN"
Ah, sorry, I pretty much only read your sssd logs, maybe the principal
is different.
Can you show what does "klist -k" say?
I was able to initialize the keytab by using kinit -n UserID.
kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally,
the keytab is only accessible to the root user.
Then I was able to perform an ldap search and pull all group membership as well as userid
that are members of that group.
Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
>
> Getent group "NWgroupname" still does not work.
>
> Mike Karich
>
> -----Original Message-----
> From: Karich, Michael
> Sent: Friday, October 24, 2014 8:10 AM
> To: 'sssd-users(a)lists.fedorahosted.org'
> Subject: RE: [SSSD-users] Getent group not fully working
>
> >Could you test with sssd-1.11.7?
> >Here is a link to yum repo
> >https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
>
> Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd
--version.
>
>
>
> Mike Karich
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of
sssd-users-request(a)lists.fedorahosted.org
> Sent: Friday, October 24, 2014 7:00 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: sssd-users Digest, Vol 30, Issue 16
>
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific than "Re:
Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael)
> 2. Re: sssd-users Digest, Vol 30, Issue 15 (steve)
> 3. Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Oct 2014 20:39:55 +0000
> From: "Karich, Michael" <mkarich(a)utdallas.edu>
> To: "sssd-users(a)lists.fedorahosted.org"
> <sssd-users(a)lists.fedorahosted.org>
> Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15
> Message-ID:
> <E8485E913DD2CB46BC9E4A14AA1E65C2376046BB(a)UTDEX32.campus.ad.utdallas.edu>
>
> Content-Type: text/plain; charset="utf-8"
>
> Yes I do have access to my sssd.conf
>
> I have replaced the domain with case equivalent domain
>
> [sssd]
> config_file_version = 2
> domains = domain
> services = nss, pam
> debug_level = 10
> default_domain_suffix = domain
>
> [nss]
>
> [pam]
>
> [domain/"domain"]
> ad_domain = domain
> krb5_realm = DOMAIN
> realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider =
ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True
use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
>
>
>
> I am using 1.11.2. Which repo will have the latest version for centos 7?
>
> When running groups as an AD user, the same groups are printed as when running ID
username. Both listings are incomplete and missing the same groups.
>
>
> Mike Karich
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of
sssd-users-request(a)lists.fedorahosted.org
> Sent: Thursday, October 23, 2014 3:11 PM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: sssd-users Digest, Vol 30, Issue 15
>
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific than "Re:
Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Getent group not fully working (Karich, Michael)
> 2. Re: Getent group not fully working (steve)
> 3. Re: Getent group not fully working (Dmitri Pal)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Oct 2014 18:36:27 +0000
> From: "Karich, Michael" <mkarich(a)utdallas.edu>
> To: "sssd-users(a)lists.fedorahosted.org"
> <sssd-users(a)lists.fedorahosted.org>
> Subject: [SSSD-users] Getent group not fully working
> Message-ID:
> <E8485E913DD2CB46BC9E4A14AA1E65C237603A8E(a)UTDEX32.campus.ad.utdallas.edu>
>
> Content-Type: text/plain; charset="utf-8"
>
> Good afternoon,
>
> I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to
auth via AD usernames and passwords without issue and can "getent group
MOSTGROUPS". But I have run into an issue where there are some groups that are not
being seen / discovered / enumerated etc.
>
> ID of a validated username will display most of the groups, but there are some groups
that are not listed which are also those are also the ones that fail getent group. I
cannot find a pattern in what groups fail to enumerate. At first I thought it was length,
but there are group names over 20 characters that succeed.
>
> EX. ID of user1:
>
> Group1, group 2, group 5
>
> Getent group group1
> Username list!
>
> Getent group "Group 2"
> Username list!
>
> Getent group group3 (user is a long time member of group in AD) Blank output
>
> Strace reveals that the command exited with status 2. Nothing is logged in
sssd_DOMAIN.log
>
> Please let me know where to look next, thank you.
>
>
> Mike Karich
> IT Manager
> Center for Vital Longevity
> 1600 Viceroy Rd
> Dallas, TX 75235
>
> mkarich@utdallas.edu<mailto:mkarich@utdallas.edu>
> P: 972-883-3745 C: 972-757-3299
>
> CVL IT Assistance: CVLTech@utdallas.edu<mailto:CVLTech@utdallas.edu>
>
>