Missing group memberships with sssd (when using tokengroups):
July, 2018.
Cross-subdomain AD authentication partially working. (fully working with ldap_use_tokengroups = False)
When set ldap_use_tokengroups = True, some AD groups for some accounts missing. Full details below.
Test server is in AMER.DELL.COM
Accounts and their missing AD group memberships (when ldap_use_tokengroups = True)
AdmJesse_Chan (account resides in APAC.DELL.COM)
tokengroups-enabled SSSD reports membership in:
uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1008(apacunixusers),1000(apaclinuxeng),1001(apaclinuxsup)
vas-enabled Linux server reports membership in:
uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1000(apaclinuxeng),1001(apaclinuxsup),1008(apacunixusers),1041(linux-core-engineering),1069(users)
diff is:
1041(linux-core-engineering),1069(users)
Both are AMER-only "local domain" groups.
linux-core-engineering is a AMER-only "domain local" group with GID 1041.
And actually, admjesse_chan is a member of 'users', but that's an APAC.DELL.COM domain AD group (that's not unix-enabled).
VAS is (mistakenly) reporting Jesse as a member of the AMER.DELL.COM 'users' group, which has a GID of 1069.
AdmPaulBowen (account resides in EMEA.DELL.COM)
tokengroups-enabled SSSD reports membership in:
uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1009(emeaunixusers)
vas-enabled Linux server reports membership in:
uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1153(emea_server_mgmt),1005(emealinuxsup),1009(emeaunixusers)
diff is:
1153(emea_server_mgmt),1005(emealinuxsup),
EMEA_SERVER_MGMT is a universal AD group. with GID 1153.
EMEALINUXSUP is a universal AD group. with GID 1005.
EMEAUNIXUSERS is a global AD group. with GID 1009.
AdmDennis_Kennedy (account resides in EMEA.DELL.COM)
tokengroups-enabled SSSD:
uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1009(emeaunixusers)
vas:
uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1153(emea_server_mgmt),1004(emealinuxeng),1009(emeaunixusers),1041(linux-core-engineering)
diff:
1153(emea_server_mgmt),1004(emealinuxeng),1041(linux-core-engineering)
EMEA_SERVER_MGMT is a universal AD group. with GID 1153.
EMEALINUXENG is a universal AD group. with GID 1003.
linux-core-engineering is a AMER-only "domain local" group with GID 1041.
AdmSpike_White (account resides in AMER.DELL.COM)
tokengroups-enabled SSSD:
uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng)
vas:
uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng),1041(linux-core-engineering),1069(users)
diff:
1041(linux-core-engineering),1069(users)
linux-core-engineering is a AMER-only "domain local" group with GID 1041.
users is an AMER-only "builtin local" group with GID 1069.
AdmCesar_Guillen (account found in AMER.DELL.COM)
NOTE: AdmCesar_Guillen is found in AMERICAS.
tokengroups-enabled SSSD:
uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1010(amerunixusers)
vas:
uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1033(amer_server_mgmt),1002(amerlinuxeng),1010(amerunixusers),2284031(esg_bios_code_rw)
diff:
1033(amer_server_mgmt),1002(amerlinuxeng),2284031(esg_bios_code_rw)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd not reporting this?!?
amerlinuxeng is a universal AD group with GID 1002. <---------- why is sssd not reporting this?!? It's reported for AdmSpike_White, but not for AdmPatrick_Wheeler or AdmCesar_Guillen.
esg_bios_code_rw is a universal AD group with GID 2284031. <---------- why is sssd not reporting this?!?
Admpatrick_wheeler (account resides in AMER.DELL.COM)
tokengroups-enabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1010(amerunixusers)
tokengroups-disabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
vas:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
diff is:
1033(amer_server_mgmt)
1003(amerlinuxsup)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd not reporting this?!?
amerlinuxsup is an AMER universal group with GID 1003.