On Thu, Jul 09, 2015 at 10:36:37PM +0000, Thackeray, Neil L wrote:
I'm new to sssd, so I'm not sure I have everything set up
correctly, but from what I've seen setting up authentication against AD should be
fairly easy.
I'm able to authenticate, and group lookups seem to work during authentication. When
I look through the sssd domain log I see it going through my groups and enumerating
users.
Unfortunately, it's not able to resolve my gidNumber which is in my personal LDAP
entry in the user objectclass not in the group objectclass.
This log entry happens when I into ssh into the server or run 'groups' from the
command line.
(Thu Jul 9 13:56:24 2015) [sssd[be[ad.mydomain.edu]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(gidNumber=182275)(objectclass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=ad,DC=mydomain,DC=edu].
Output of running 'groups' while my account is logged in:
groups: cannot find name for group ID 182275
182275
I'm in a lot of groups, so I can only assume that it tries to resolve my gidNumber,
can't and gives up.
If I understand it correctly your AD user entry contains a UID and a GID
for the user, but there is no group object with this GID, becasue it is
a user private group (a group where only the user is a member).
Could you please try to call 'id' instead of 'groups' and check if this
returns all you group memberships (maybe only with the numerical GID)?
bye,
Sumit
sssd version 1.11.5
sssd.conf
[sssd]
domains =
ad.mydomain.edu
config_file_version = 2
services = nss, pam, pac
[
domain/ad.mydomain.edu]
debug_level = 9
ad_domain =
ad.mydomain.edu
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
ignore_group_members = False
ipa_hbac_support_srchost = True
ad_access_filter = memberOf=CN=MyOU IT FT,OU=Groups -
DLs,OU=ITS,OU=MyOU,OU=City,DC=ad,DC=mydomain,DC=edu
nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
Thanks for any help,
Neil
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users