I’m new to sssd, so I’m not sure I have everything set up correctly, but from what I’ve seen setting up authentication against AD should be fairly easy.
I’m able to authenticate, and group lookups seem to work during authentication. When I look through the sssd domain log I see it going through my groups and enumerating users.
Unfortunately, it’s not able to resolve my gidNumber which is in my personal LDAP entry in the user objectclass not in the group objectclass.
This log entry happens when I into ssh into the server or run ‘groups’ from the command line.
(Thu Jul 9 13:56:24 2015) [sssd[be[ad.mydomain.edu]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=182275)(objectclass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=ad,DC=mydomain,DC=edu].
Output of running ‘groups’ while my account is logged in:
groups: cannot find name for group ID 182275
182275
I’m in a lot of groups, so I can only assume that it tries to resolve my gidNumber, can’t and gives up.
sssd version 1.11.5
sssd.conf
[sssd]
domains = ad.mydomain.edu
config_file_version = 2
services = nss, pam, pac
[domain/ad.mydomain.edu]
debug_level = 9
ad_domain = ad.mydomain.edu
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
ignore_group_members = False
ipa_hbac_support_srchost = True
ad_access_filter = memberOf=CN=MyOU IT FT,OU=Groups - DLs,OU=ITS,OU=MyOU,OU=City,DC=ad,DC=mydomain,DC=edu
nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
Thanks for any help,
Neil