On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote:
> Hi All,
>
> I'm working in a proof of concept for a customer where I've been asked to
> join the child domain of a Microsoft Active Directory domain,
> child.example.com.  Users will primarily exist in the parent, example.com,
> but some users will also exist in the child.  The application requires that
> all users have a specific primary GID, 1100, which is defined in /etc/group
> and I'm attempting to apply via override_gid.
>
> User authentication via either the child or parent is successful, however,
> the override_gid is only applied to users of the child, @child.example.com
> and NOT for users of the parent, @example.com.
>
> I saw what looked to be a similar post to this list from Sep 2018.  It was
> suggested this may be a bug.  I didn't see a follow-up/resolution to that
> thread.  Is this issue being tracked or has it been resolved?

Hi,

in contrast to other options the override_gid options is not
automatically inherited to sub-domains (from the SSSD point of view). I
think this is better than the other way round because the given GID
might make sense in one domain but not in the other.

The version of SSSD you are using allows to set options for sub-domains
individually. Please try to add:


[domain/child.example.com/example.com]
override_gid = 1100

to sssd.conf. This works for many options but I have not tested
override_gid yet. Sp please let me know if this works or not.

HTH

bye,
Sumit

>
> Below is my sssd.conf:
>
> [root@linux2 sssd]# cat sssd.conf
>
> [sssd]
> domains = child.example.com
> config_file_version = 2
> services = nss, pam
> default_domain_suffix = EXAMPLE.COM
>
> [domain/child.example.com]
> ad_domain = child.example.com
> krb5_realm = CHILD.EXAMPLE.COM
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = True
> fallback_homedir = /home/%u@%d
> access_provider = ad
> ad_access_filter = FOREST:example.com:
> (memberOf:1.2.840.113556.1.4.1941:=CN=LinuxUsers,ou=Groups,dc=child,dc=example,dc=com)
>
> auth_provider = ad
> chpass_provider = ad
> ldap_schema = ad
>
> override_gid = 1100
>
> CentOS Version:
>
> [root@linux2 sssd]# cat /etc/redhat-release
> CentOS Linux release 7.5.1804 (Core)
>
> SSSD Component Versions:
>
> [root@linux2 sssd]# rpm -qa |grep sssd
> sssd-common-pac-1.16.2-13.el7_6.8.x86_64
> sssd-ldap-1.16.2-13.el7_6.8.x86_64
> python-sssdconfig-1.16.2-13.el7_6.8.noarch
> sssd-client-1.16.2-13.el7_6.8.x86_64
> sssd-krb5-common-1.16.2-13.el7_6.8.x86_64
> sssd-ipa-1.16.2-13.el7_6.8.x86_64
> sssd-krb5-1.16.2-13.el7_6.8.x86_64
> sssd-dbus-1.16.2-13.el7_6.8.x86_64
> sssd-proxy-1.16.2-13.el7_6.8.x86_64
> sssd-tools-1.16.2-13.el7_6.8.x86_64
> sssd-common-1.16.2-13.el7_6.8.x86_64
> sssd-ad-1.16.2-13.el7_6.8.x86_64
> sssd-1.16.2-13.el7_6.8.x86_64
>
>
> Thanks,
> -Josh

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org