Hello,
I am switching our SSSD to use the AD provider but have found that the setup has issues
with group membership.
The following is my domain configuration:
[domain/<DOMAIN>]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_access_filter = (memberOf=<FILTER>)
ad_hostname = <CLIENT_HOST>
ad_domain = <DOMAIN>
dns_discovery_domain = <DOMAIN>
ldap_id_mapping = false
ldap_sasl_mech = GSSAPI
ldap_referrals = false
dyndns_update = false
cache_credentials = true
enumerate = false
ldap_purge_cache_timeout = 0
This setup works just not completely, user authentication and user/group lookups work.
However if I attempt to list full group membership of a user (“id user” or “groups user”),
then I am provided with only the primary group. Interestingly if I do the following: clear
user from cache, lookup group, lookup user, then the information indicates the primary
group and additional group.
We utilise an AllowGroups restriction within SSHD which fails, claiming the user isn’t in
the group.
Any suggests would be welcome.
Thanks
Mark
------------------------------------------------------------------------
Mark Sangster
Server Infrastructure Specialist
Information Technology Services | University of Aberdeen
t: +44 (0)1224 27-3315 | e: mark@abdn.ac.uk<mailto:mark@abdn.ac.uk> | u:
http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.