I'm trying to obtain group membership of accounts that login via SSSD against an AD environment (id_provider = ldap, auth_provider = krb5). Authentication completes successfully and the UID and GID values are correct for the logged in user account:
uid=1113938(username) gid=1000 groups=1000 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
but where there is "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" there should be a list of user-managed groups that the user is a member of. These groups are contained in an Active Directory environment.
A debug log (debug_level = 6) shows the following segment which repeats on and on:
(Mon Apr 27 16:34:16 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #33674: New request 'User by ID' (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #33674: Performing a multi-domain search (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #33674: Search will check the cache and check the data provider (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #33674: Using domain [implicit_files] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #33674: Looking up UID:0@implicit_files (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: Checking negative cache for [UID:0@implicit_files] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: [UID:0@implicit_files] does not exist (negative cache) (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #33674: Using domain [AD.EXAMPLE.EDU] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #33674: Looking up UID:0@AD.EXAMPLE.EDU (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: Checking negative cache for [UID:0@AD.EXAMPLE.EDU] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: [UID:0@AD.EXAMPLE.EDU] does not exist (negative cache) (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #33674: Finished: Not found
I can query the AD using ldapsearch and get a group membership list, but I can't seem to get that data using SSSD. What sssd.conf option should I be using to successfully obtain this data?
Thanks, Mike
On Mon, Apr 27, 2020 at 09:01:10PM -0000, Michael Dahlberg wrote:
I'm trying to obtain group membership of accounts that login via SSSD against an AD environment (id_provider = ldap, auth_provider = krb5). Authentication completes successfully and the UID and GID values are correct for the logged in user account:
uid=1113938(username) gid=1000 groups=1000 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
but where there is "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" there should be a list of user-managed groups that the user is a member of. These groups are contained in an Active Directory environment.
A debug log (debug_level = 6) shows the following segment which repeats on and on:
(Mon Apr 27 16:34:16 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #33674: New request 'User by ID' (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #33674: Performing a multi-domain search (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #33674: Search will check the cache and check the data provider (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #33674: Using domain [implicit_files] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #33674: Looking up UID:0@implicit_files (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: Checking negative cache for [UID:0@implicit_files] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: [UID:0@implicit_files] does not exist (negative cache) (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #33674: Using domain [AD.EXAMPLE.EDU] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #33674: Looking up UID:0@AD.EXAMPLE.EDU (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: Checking negative cache for [UID:0@AD.EXAMPLE.EDU] (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #33674: [UID:0@AD.EXAMPLE.EDU] does not exist (negative cache) (Mon Apr 27 16:34:16 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #33674: Finished: Not found
I can query the AD using ldapsearch and get a group membership list, but I can't seem to get that data using SSSD. What sssd.conf option should I be using to successfully obtain this data?
Hi,
the first question would be obviously why you use id_provider=ldap and not id_provider=ad?
If there is a reason for using id_provider=ldap the next question would be which group membership scheme you want to use. You can use the same group memberships AD is using but you can use group-memberships defined the in the special services-for-unix LDAP attributes (the 'UNIX Attributes' tab in older versions of AD's 'Users and Computers' tool).
bye, Sumit
Thanks, Mike _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org