Hello!
While writing you mail I discovered that kerberos principal used by sssd
(NIX$) doesn't have permissions for some ldap-attributes (all problem
accounts had special AD (ldap) permissions). After reseting permissions
in ADUC, the problem disappears.
It seems, sssd makes more strict account checking than winbind (which
works fine in the same situation). May be it's too strict for
discovering group membership. Or you're considering this normal?
Attributes which were not readable before reseting permissions:
accountExpires:
badPasswordTime:
badPwdCount:
homeDirectory:
homeDrive:
instanceType:
lastLogoff:
lastLogon:
logonCount:
logonHours:
msSFU30NisDomain:
pwdLastSet:
scriptPath:
userAccountControl:
uSNChanged:
uSNCreated:
whenChanged:
whenCreated:
What do you think about this, should I still file a report?
Anyway, thanks a lot!
---
Best regards,
Sergey Urushkin
Jakub Hrozek писал 2014-11-13 12:50:
On Wed, Nov 12, 2014 at 02:31:43PM +0300, Sergey Urushkin wrote:
> Hello!
>
> >I am not sure from rest of your mail which version of sssd is problematic?
> >sssd-1.11.5 has some known issues.
> >
> >BTW: log files from sssd-1-11.7 would be the best for troubeshooting.
>
> All of them are problematic: 1.11.5, 1.11.7, 1.12.2
>
> I've just tried to reproduce the issue on fresh 2008r2 and samba 4.1.6
> AD
> installations (both) to send you log files, but without success. It
> seems,
> the issue affects only running samba4-AD installation and only several
> users
> from domain.
I see, this is not common but we've already had bugs that affected
Samba
but not AD -- while Samba tries to be an AD implementation, there might
be differences.
> I've created the user with the same membership and other
> parameters as one of the affected - sudo works fine for him. So, I've
> dumped
> log files for both users, but I don't really want to show this info in
> public. And it seems that there is no option for private bug report
> here -
>
https://fedorahosted.org/sssd/newticket . So, tell me, please, who
> could I
> sent mail with additional info to?
You can send the logs to me and Lukas.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users