Re: override_gid not changing default GID - sssd-users - Fedora mailing-lists

17 Sep 2018

      ...
On 14 Sep 2018, at 00:25, Kevin Murakoshi ksmurakoshi@UCDAVIS.EDU wrote:
Hi All,
I'm relatively new to SSSD, and this has me stumped. I'm trying to override the default GID for all the users on a OEL 7 system. I set override_gid = 100 in sssd.conf, but as far as i can tell nothing's happening. Looking into the sssd cache, I see:
dn: name=riceboy@ad3.ucdavis.edu,cn=users,cn=ad3.ucdavis.edu,cn=sysdb
  createTimestamp: 1536876547
  fullName: riceboy 
  gecos: riceboy
  gidNumber: 846575921
  name: riceboy@ad3.ucdavis.edu
  objectCategory: user
  uidNumber: 190295
When I set auto_private_groups = true, the GID does change:
dn: name=riceboy@ad3.ucdavis.edu,cn=users,cn=ad3.ucdavis.edu,cn=sysdb
   createTimestamp: 1536877117
   fullName: riceboy
   gecos: riceboy
   gidNumber: 190295
   name: riceboy@ad3.ucdavis.edu
   objectCategory: user
   uidNumber: 190295
I think this is a bug. Looking at the domain the user comes from and the domain defined in sssd.conf, this user comes from a trusted domain, correct? The domain defined in sssd.conf is ou.ad3.ucdavis.edu, but the domain the user comes from is ad3.ucdavis.edu
I could reproduce this in my local test, it seems that the override_gid option is not applied to subdomain users. E.g, using override_gid=55555 I can see the administrator user from the joined domain to have their gid overriden:
$ id administrator@win.trust.test
uid=1323800500(administrator@win.trust.test) gid=55555 groups=55555,1323800572(denied rodc password replication group@win.trust.test),1323800520(group policy creator owners@win.trust.test),1323800513(domain users@win.trust.test),1323800512(domain admins@win.trust.test),1323800519(enterprise admins@win.trust.test),1323800518(schema admins@win.trust.test)
But not the user from a trusted domain:
$ id administrator@child.win.trust.test
uid=52600500(administrator@CHILD.win.trust.test) gid=52600500(administrator@CHILD.win.trust.test) groups=52600500(administrator@CHILD.win.trust.test),52600513
Does override_gid work for you for users from the joined domain at least?
...
Another data point (not sure if this is related), when I try and override the GID on an existing group, the name will change, but the GID will not. (original GID of "Domain Users" is 846575921)
   [root@tcsnd2 ~]# sss_override group-add "Domain Users@ad3.ucdavis.edu" -n NewName -g 1234567
   SSSD needs to be restarted for the changes to take effect.
   [root@tcsnd2 ~]# systemctl restart sssd
   [root@tcsnd2 ~]# id riceboy@ad3.ucdavis.edu
   uid=190295(riceboy) gid=846575921(newname) groups=846575921(newname),1170(status),1061419070(ism-us-systems),1061419998(iet-us-banner),1061419025(ism-us-status),1061419997(iet-us-edrs),1061419993(iet-us- 
   rbds),1061419045(ism-us-ism),1234567(newname),1061419999(iet-us-ansible),1061419046(ism-us-isun-susers),1061419058(ism-us-netbackup),1061419074(ism-us-zenoss)
Hmm, this sounds like a bug as well. Does it work with any of the non-primary groups at least?
...
I'm sure there's something simple I'm missing, any ideas?
My sssd.conf file
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 2
[pam]
reconnection_retries = 3
debug_level = 2
[sssd]
domains = ou.ad3.ucdavis.edu
config_file_version = 2
services = nss, pam, ifp
debug_level = 2
default_domain_suffix = AD3.UCDAVIS.EDU
[domain/ou.ad3.ucdavis.edu]
ad_domain = ou.ad3.ucdavis.edu
krb5_realm = OU.AD3.UCDAVIS.EDU
krb5_auth_timeout = 30
debug_level = 4
override_gid = 100
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
#ad_access_filter = (memberOf=CN=IET-US-Unit-PS,OU=US-byOrg,OU=Groups,OU=IET-New,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu)
use_fully_qualified_names = True
;;; Must be false for UNIX UIDs to be retrieved from AD3
ldap_id_mapping = false
ldap_schema = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
override_homedir = /home/%u
fallback_homedir = /tmp/
override_shell = /bin/ksh
#auto_private_groups = true
access_provider = simple
simple_allow_groups = ISM-US-ISM@ou.ad3.ucdavis.edu, IET-US-BANNER@ou.ad3.ucdavis.edu
ignore_group_members = TRUE
ldap_use_tokengroups = True
ldap_group_nesting_level = 0
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True
full_name_format = %1$s
dyndns_update = false
~
Kevin Murakoshi  
IET Enterprise Student Applications
ksmurakoshi@ucdavis.edu
(530) 752-0318 (office)
(530) 219-8188 (cell)

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...