Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu
On 10/23/2014 02:36 PM, Karich, Michael wrote:
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can “getent group MOSTGROUPS”. But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
What version of SSSD?
Did you get get all the right groups when user actually logs in? If this is the case than it is a known and expected behavior in 1.11.x. If you are using the latest 1.12.x you should see all groups so if you do not then this is a bug.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1
Username list!
Getent group “Group 2”
Username list!
Getent group group3 (user is a long time member of group in AD)
Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
*Mike Karich*
*IT Manager*
*Center for Vital Longevity*
*1600 Viceroy Rd*
*Dallas, TX 75235*
**
*mkarich@utdallas.edu* mailto:mkarich@utdallas.edu**
*P: 972-883-3745 C: 972-757-3299*
**
*CVL IT Assistance: **CVLTech@utdallas.edu* mailto:CVLTech@utdallas.edu**
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org