I've previously looked at moving a NIS domain which had a group per user in
the Red Hat fashion to an AD domain, and my plan had been to set the
uidNumber to the user's UID, and then create a group for each user named
"g_<username>" - this group would have the same ID as the user's GID.
The move from NIS to AD didn't happen, so I didn't get a large scale test
of this idea...
John
On 13 July 2015 at 20:36, Rowland Penny <repenny241155(a)gmail.com> wrote:
On 13/07/15 20:24, Thackeray, Neil L wrote:
> gidNumber '182275' is the gidNumber in my LDAP entry only. There is no
> actual group corresponding to this gidNumber. I have zero control over how
> our AD is configured, so I couldn't change this if I wanted to.
>
And there is your problem, whilst you can add a gidNumber to a users
object in AD, it is meaningless unless it is also the gidNumber of an
actual group in AD. I think you are trying to set up a personal usergroup
with the same name as your user, this is not allowed in AD.
Rowland
dn: CN=neilt,OU=People,DC=ad,DC=mydomain,DC=edu
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> givenName: Neil
> distinguishedName: CN=neilt,OU=People,DC=ad,DC=mydomain,DC=edu
> instanceType: 4
> uidNumber: 182275
> gidNumber: 182275
> extensionAttribute2: O365
> SAMAccountType: 805306368
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:
> sssd-users-bounces(a)lists.fedorahosted.org] On Behalf Of Rowland Penny
> Sent: Monday, July 13, 2015 1:06 PM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] gidNumber resolution problem
>
> On 13/07/15 18:42, Thackeray, Neil L wrote:
>
>> I've upgraded to 1.12.5, but the result is still the same. I don't
>> understand why sssd is treating my gidNumber as a group when it resides in
>> the users entry in objectclass user.
>>
>> This ldap search doesn't work: ldapsearch -LLL -x -H ldaps://
>> ldaps.ad.mydomain.edu:636/ -b dc=ad,dc=mydomain,dc=edu -D
>> bi-svc-ems(a)ad.mydomain.edu -W -s sub
>>
"(&(gidNumber=182275)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))"
>>
>> This ldap search does work: ldapsearch -LLL -x -H ldaps://
>> ldaps.ad.mydomain.edu:636/ -b dc=ad,dc=mydomain,dc=edu -D
>> bi-svc-ems(a)ad.mydomain.edu -W -s sub
>>
"(&(gidNumber=182275)(objectClass=user)(name=*)(&(gidNumber=*)(!(gidNumber=0))))"
>>
> Hi, does the gidNumber '182275' have a corresponding group to go with it ?
>
> Rowland
>
>
>> This is part of what the debug for nss looks like. It seems that it's
>> connecting (Mon Jul 13 11:40:22 2015) [sssd[nss]]
>> [sss_dp_issue_request] (0x0400): Issuing request for
>> [0x41b210:2:182275@ad.mydomain.edu]
>> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sss_dp_get_account_msg]
>> (0x0400): Creating request for
>> [ad.mydomain.edu][4098][1][idnumber=182\
>> 275]
>> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sbus_add_timeout] (0x2000):
>> 0x175ef80 (Mon Jul 13 11:40:22 2015) [sssd[nss]]
>> [sss_dp_internal_get_send] (0x0400): Entering request
>> [0x41b210:2:182275@ad.mydomain.edu]
>> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [nss_cmd_getgrgid_search]
>> (0x0080): No matching domain found for [182275] (Mon Jul 13 11:40:22
>> 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x175ef80 (Mon Jul
>> 13 11:40:22 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
>> 0x175a650 (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sbus_dispatch] (0x4000):
>> Dispatching.
>> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000):
>> Got reply from Data Provider - DP error code: 1 errno: 11 error mes\
>> sage: Fast reply - offline
>> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [nss_cmd_getby_dp_callback]
>> (0x0040): Unable to get information from Data Provider
>> Error: 1, 11, Fast reply - offline
>>
>> -----Original Message-----
>> From: sssd-users-bounces(a)lists.fedorahosted.org
>> [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas
>> Slebodnik
>> Sent: Friday, July 10, 2015 2:45 AM
>> To: End-user discussions about the System Security Services Daemon
>> Subject: Re: [SSSD-users] gidNumber resolution problem
>>
>> On (09/07/15 22:36), Thackeray, Neil L wrote:
>>
>>> I'm new to sssd, so I'm not sure I have everything set up correctly,
>>> but from what I've seen setting up authentication against AD should be
>>> fairly easy.
>>>
>>> I'm able to authenticate, and group lookups seem to work during
>>> authentication. When I look through the sssd domain log I see it going
>>> through my groups and enumerating users.
>>>
>>> Unfortunately, it's not able to resolve my gidNumber which is in my
>>> personal LDAP entry in the user objectclass not in the group objectclass.
>>>
>>> This log entry happens when I into ssh into the server or run
'groups'
>>> from the command line.
>>> (Thu Jul 9 13:56:24 2015) [sssd[be[ad.mydomain.edu]]]
>>> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>>
[(&(gidNumber=182275)(objectclass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=ad,DC=mydomain,DC=edu].
>>>
>>> Output of running 'groups' while my account is logged in:
>>> groups: cannot find name for group ID 182275
>>> 182275
>>>
>>> I'm in a lot of groups, so I can only assume that it tries to resolve
>>> my gidNumber, can't and gives up.
>>>
>>> sssd version 1.11.5
>>>
>> 1.11.5 may contain some bugs. So please test with latest 1.11 version
>> or latest 1.12 version
>>
>> sssd.conf
>>> [sssd]
>>> domains =
ad.mydomain.edu
>>> config_file_version = 2
>>> services = nss, pam, pac
>>>
>>> [
domain/ad.mydomain.edu]
>>> debug_level = 9
>>> ad_domain =
ad.mydomain.edu
>>>
>>> id_provider = ad
>>> auth_provider = ad
>>> access_provider = ad
>>> chpass_provider = ad
>>>
>>> realmd_tags = manages-system joined-with-samba cache_credentials =
>>> True krb5_store_password_if_offline = True default_shell = /bin/bash
>>> ldap_id_mapping = False use_fully_qualified_names = False
>>> fallback_homedir = /home/%u ignore_group_members = False
>>> ipa_hbac_support_srchost = True
>>>
>> This option will be ingored because it is an ipa related option and you
>> are using ad provider.
>>
>> ad_access_filter = memberOf=CN=MyOU IT FT,OU=Groups -
>>> DLs,OU=ITS,OU=MyOU,OU=City,DC=ad,DC=mydomain,DC=ed
>>>
>> Does it work if you remove this line?
>>
>> BTW you can use simple access provider instead of such filter.
>> @see man sssd-simple
>>
>> I would also recomment to read our wiki page
>>
https://fedorahosted.org/sssd/wiki/Troubleshooting
>>
>> LS
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
John Beranek To generalise is to be an idiot.