Hi!
We have been working this problem for two weeks debugging. We have 389-ds running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap clients authenticate correctly to the RHEL6 389-ds directory server and with 'id' command can see all groups a user belongs too. The same command in a RHEL6 ldap client using sssd shows ONLY the primary group. If we change the ldap clients to point at the RHEL5 389-ds directory server the same results occur. The one consistency is any RHEL6 ldap client we setup will authenticate to either RHEL5 or RHEL6 but the entire list of groups that user belongs to do not transfer independent of server version. We have enumerate set to true and we have ldap_group_member set to uniqueMember. These seems to point to the ldap client as RHEL5 client works just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're not sure how to correct or is it a bug. HELP?
We had this posted in 389-users but were referred to the sssd list. id of a user(id JSmith) only returns the primary group, not a complete list of the groups that user belongs too. The getent group MyGroup lists the subgroups by names but not the members. On a RHEL5 ldap client the same entries provide a complete list of groups the user belongs to when entering id JSmith. The getent group MyGroup also burrows down through subgroups to list all users that belong to that group either directly or because a group they belong to belongs to the group MyGroup. Any ideas? The problem seems to be with RHEL 6 ldap client and some settings in sssd but not sure where to go from here.
Thanks, Ted
Ted Rush Common ARTS Information System Security ISSO/POC Common ARTS Software Development System Lead (609) 485-5917
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/22/2013 12:13 PM, ted.rush@faa.gov wrote:
Hi!
We have been working this problem for two weeks debugging. We have 389-ds running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap clients authenticate correctly to the RHEL6 389-ds directory server and with 'id' command can see all groups a user belongs too. The same command in a RHEL6 ldap client using sssd shows ONLY the primary group. If we change the ldap clients to point at the RHEL5 389-ds directory server the same results occur. The one consistency is any RHEL6 ldap client we setup will authenticate to either RHEL5 or RHEL6 but the entire list of groups that user belongs to do not transfer independent of server version. We have enumerate set to true and we have ldap_group_member set to uniqueMember. These seems to point to the ldap client as RHEL5 client works just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're not sure how to correct or is it a bug. HELP?
We had this posted in 389-users but were referred to the sssd list. id of a user(id JSmith) only returns the primary group, not a complete list of the groups that user belongs too. The getent group MyGroup lists the subgroups by names but not the members. On a RHEL5 ldap client the same entries provide a complete list of groups the user belongs to when entering id JSmith. The getent group MyGroup also burrows down through subgroups to list all users that belong to that group either directly or because a group they belong to belongs to the group MyGroup. Any ideas? The problem seems to be with RHEL 6 ldap client and some settings in sssd but not sure where to go from here.
I suspect that things will work properly if you set
ldap_schema = rfc2307bis
in the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf and run 'service sssd restart'
For other things to try, check out https://fedorahosted.org/sssd/wiki/FAQ#CommonIssues
If none of those suggestions work, please follow the tips on https://fedorahosted.org/sssd/wiki/Troubleshooting for reporting an issue.
Stephen, I made that change to have it reference 2307bis, I also added ldap_group_object_class = groupofuniquenames, I removed the cached data and restarted sssd. This did work. I tried the bis setting before but I did not clear the cache which may have been hampering my tests. This seems to test well so far. Thank you for the help.
Talk to you later, Ted
Ted Rush Common ARTS Information System Security ISSO/POC Common ARTS Software Development System Lead (609) 485-5917
|------------> | From: | |------------>
--------------------------------------------------------------------------------------------------------------------------------------------------|
|Stephen Gallagher sgallagh@redhat.com | | |
--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------> | To: | |------------>
--------------------------------------------------------------------------------------------------------------------------------------------------|
|sssd-users@lists.fedorahosted.org, Ted Rush/ACT/FAA@FAA |
--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------> | Date: | |------------>
--------------------------------------------------------------------------------------------------------------------------------------------------|
|10/22/2013 01:01 PM |
--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------> | Subject: | |------------>
--------------------------------------------------------------------------------------------------------------------------------------------------|
|Re: [SSSD-users] RHEL 6 ldap client can query a group, but cannot traverse groups of groups. |
--------------------------------------------------------------------------------------------------------------------------------------------------|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/22/2013 12:13 PM, ted.rush@faa.gov wrote:
Hi!
We have been working this problem for two weeks debugging. We have 389-ds running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap clients authenticate correctly to the RHEL6 389-ds directory server and with 'id' command can see all groups a user belongs too. The same command in a RHEL6 ldap client using sssd shows ONLY the primary group. If we change the ldap clients to point at the RHEL5 389-ds directory server the same results occur. The one consistency is any RHEL6 ldap client we setup will authenticate to either RHEL5 or RHEL6 but the entire list of groups that user belongs to do not transfer independent of server version. We have enumerate set to true and we have ldap_group_member set to uniqueMember. These seems to point to the ldap client as RHEL5 client works just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're not sure how to correct or is it a bug. HELP?
We had this posted in 389-users but were referred to the sssd list. id of a user(id JSmith) only returns the primary group, not a complete list of the groups that user belongs too. The getent group MyGroup lists the subgroups by names but not the members. On a RHEL5 ldap client the same entries provide a complete list of groups the user belongs to when entering id JSmith. The getent group MyGroup also burrows down through subgroups to list all users that belong to that group either directly or because a group they belong to belongs to the group MyGroup. Any ideas? The problem seems to be with RHEL 6 ldap client and some settings in sssd but not sure where to go from here.
I suspect that things will work properly if you set
ldap_schema = rfc2307bis
in the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf and run 'service sssd restart'
For other things to try, check out https://fedorahosted.org/sssd/wiki/FAQ#CommonIssues
If none of those suggestions work, please follow the tips on https://fedorahosted.org/sssd/wiki/Troubleshooting for reporting an issue.
sssd-users@lists.fedorahosted.org
-
Stephen Gallagher -
ted.rush@faa.gov