Fra: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
bounces(a)lists.fedorahosted.org] På vegne af Jakub Hrozek
Sendt: 14. august 2015 10:19
Emne: Re: [SSSD-users] SSSD-1.12.5 and group membership problem
On Thu, Aug 13, 2015 at 04:32:12PM +0000, Longina Przybyszewska wrote:
> I have an issue with SSSD-1.12.5 with resolving group membership.
> Only Posix primary group is displayed for users accounts.
> Group is visible on the system but not displayed from 'id' or
> getent group 30000005
> getent group data-adm-lnx-nfs0a-rw-id-00001
> id user1
> uid=xxxxxxx(user1) gid=30000000(lnx-primary)
> Group object has Posix gid and is setup as universal group in realm
> gidNumber = 30000005
> memberUid: user1, user2
> I have AD as id_,access_auth_provider.
> Users have got Posix attributes in AD.
> Computer and group objects are from the same realm: A.C.DOM.ORG
> User objects are in all realms: N.C.DOM.ORG
> With my setup I can achieve:
> - login with short names across realm
> - access kerberized nfs homedir
> Is there a way to resolve correctly group's membership with this setup??
It's not really possible to answer without logs, but if you're looking for
domain memberships, then you need to use only one [domain] section in
sssd.conf and let the id_provider=ad (or rather subdomain_provider=ad, but
its value is inherited from id_provider, no need to set it explicitly) discover
What might also be problematic is using POSIX IDs -- because only the Global
Catalog can be used to resolve cross-domain memberships at the moment
and POSIX attributes are not normally present in GC, then maybe the safest
way would be to modify the AD schema to replicate the attributes to GC.
on GC port, memberOf attributes are missing;
Jeg thought that if it is Univeral Group, it is replicated as it is to GC.
Actually I started with one domain in sssd.conf, (1.11.5) but couldn't get cross realm
authentication and Kerberos nfs/idmapping
to work together until I put all domains in sssd.conf . I continue this setup with 1.12.5
, after upgrade.
I have to stick to Ubuntu and sssd releases in repos.
Recently I wanted to give a chance realmd with sssd-1.12.5 again, and made setup from
scratch without success .
The only discovered domain with auto-build sssd.conf were the one to which machine were