Hi,
I have an issue with SSSD-1.12.5 with resolving group membership.
Only Posix primary group is displayed for users accounts.
Group is visible on the system but not displayed from ‘id’ or ‘groups’ commands.
getent group 30000005
data-adm-lnx-nfs0a-rw-id-00001:*:30000005:
getent group data-adm-lnx-nfs0a-rw-id-00001
data-adm-lnx-nfs0a-rw-id-00001:*:30000005:
id user1
uid=xxxxxxx(user1) gid=30000000(lnx-primary) groups=30000000(lnx-primary)
Group object has Posix gid and is setup as universal group in realm A.C.DOM.ORG:
…
gidNumber = 30000005
memberUid: user1, user2
….
I have AD as id_,access_auth_provider.
Users have got Posix attributes in AD.
Computer and group objects are from the same realm: A.C.DOM.ORG.
User objects are in all realms: N.C.DOM.ORG, A.C.DOM.ORG, C.DOM.ORG
With my setup I can achieve:
- login with short names across realm
- access kerberized nfs homedir
Is there a way to resolve correctly group’s membership with this setup??
My sssd.conf :
[nss]
debug_level = 9
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 6
domains = n.c.dom.org,a.c.dom.org,c.dom.org
config_file_version = 2
services = nss,pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/n.c.dom.org]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = n.c.dom.org
krb5_realm = N.C.DOM.ORG
#cache_credentials = True
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_gpo_access_control = disabled
[domain/a.c.dom.org]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = a.c.dom.org
krb5_realm = A.C.DOM.ORG
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_gpo_access_control = disabled
[domain/c.dom.org]
debug_level = 9
dyndns_update = true
dyndns_update_ptr = false
ad_hostname = adm-lnx101.a.c.dom.org
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = c.dom.org
krb5_realm = C.DOM.ORG
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_gpo_access_control = disabled
Best,
longina
[nss]
debug_level = 9
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
#override_home_directory = /home/%u
[sssd]
debug_level = 6
domains = nat.c.sdu.dk,adm.c.sdu.dk,c.sdu.dk
#default_domain_suffix = c.sdu.dk
config_file_version = 2
services = nss,pam
[pam]
pam_verbosity = 3
debug_level = 9
[domain/LOCAL]
description = local machine accounts
id_provider = local
enumerate = true
min_id = 101
max_id = 1100
[domain/nat.c.sdu.dk]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = nat.c.sdu.dk
krb5_realm = NAT.C.SDU.DK
#cache_credentials = True
#krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
[domain/adm.c.sdu.dk]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = adm.c.sdu.dk
krb5_realm = ADM.C.SDU.DK
#cache_credentials = True
#krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
[domain/c.sdu.dk]
debug_level = 9
dyndns_update_ptr = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = c.sdu.dk
krb5_realm = C.SDU.DK
#cache_credentials = True
#krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
dyndns_update = true
ad_hostname = test-lnx03.a.c.dom.org
The topology of
Mange hilsner
Longina