I have an external LDAP metadirectory acting as an identity provider for my linux domain.
The metadirectory overrides and supplements the upstream identity source (e.g., it passes
thru sn, givenName, mail, telephoneNumber; but overrides or adds uidNumber, gidNumber,
loginShell, etc.) The directory also holds RFC2307 group information, and the groups
contain members from multiple upstream sources. Authentication via simple bind (for web
apps) is passed thru to the relevant upstream provider. LDAP works great.
For command line login, I want to use Kerberos. Each upstream provider is configured as a
domain within sssd which uses LDAP for identities and Kerberos for authentication. The
local, linux domain-wide groups are included as one of the domain definitions, but not the
others. For instance, I have defined domain A, B, and C. Domain A contains group
information having members from all three. Domains B and C essentially have no groups
defined.
"Getent passwd user works." Authentication works. "getent group test"
works, initially...SSSD is removing users from my group. sss_cache -G restores the user
(i.e., getent group test includes the user), but the first time the user tries to exercise
their permissions by accessing a file on the filesystem, they get a permission denied and
are removed from the group (getent group test does not include the user).
Are cross-realm groups something that sssd is designed to prohibit?
This electronic message contains information generated by the USDA solely for the intended
recipients. Any unauthorized interception of this message or the use or disclosure of the
information it contains may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error, please notify the
sender and delete the email immediately.