Hi, This is SSSD-VERSION 1.9.4 , Ubuntu Quantal 12.10 If homedir doesn't exist, user cannot login - homedir is not created locally on fly. Is it expected behavior?
[nss] ... fallback_homedir = /home/%u override_homedir = /home/%u ...
Do I suppose to make change in pam to get it work?
------------------ Another problem - with group IDs:
After login to the terminal, I get the long list of warnings for all groups 1172xxxxx - it really delays login, as the list is long. Do I miss some config options ?
su - testuser ... groups: cannot find name for group ID XXXXXXX ...
id -G testuser 332400513 332411734 332411220 332411221 332405659 332410635 332403786 332403699 332407177 332408204 332408312 332406100 332408307 332413664 332402685 332402830 332411184
id -G -n testuser domain users data-nat-nat-it-groupdrive rw nat-fnc-pri-setdiscription nat-pri-setcomputerdesc imada-terminal-users nat-it-outlook-admin nat-terminal-users terminal brugere dl-nat-it-staff nat-it-ansatte nat-it-ad-hoc nat-esignatur dl-nat-it nat-ctxusers common_users nat-lectures nat-booking
id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users),1172612322,1172651920,1172657894,1172606592,1172607216, 332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(i-terminal-users), 332410635(nat-it-outlook-a),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte), 332408312(nat-it-ad-hoc),332406100(nat-esignatur),1172648735,332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking), 332408307(dl-nat-it),1172668083,1172671850,1172626924,1172670697,1172632585,1172647528,1172673996, 1172630281,1172650784,1172649006,1172646018,1172626637,1172668082,1172647518,1172647527,1172647519, 1172671034,1172652129,1172650787,1172608193,1172646019,1172649007,1172645844,1172630472,1172648739,1172645167, 1172649004,1172649400,1172671853,1172650786,1172645166,1172645845,988802256,1172649005,1172659655,1172647852,1172633504, 1172667765,1172666809,1172645842,1172649046,1172667764,1172647523,1172626846,1172633505,1172645161,1172658369,1172645843, 1172616454,1172659249,1172645163,1172644173,1172670698,988803287,1172645162,1172645841,1172659248,1172666810,1172659262,1172626838, ........(a lot of groups)... 1172648736,1172679679,1172622933,1172679716,1172645975,1172671030,1172620701,1172681776,1172650191
Best Longina
On Wed, Feb 27, 2013 at 10:11:03AM +0000, Longina Przybyszewska wrote:
Hi, This is SSSD-VERSION 1.9.4 , Ubuntu Quantal 12.10 If homedir doesn't exist, user cannot login - homedir is not created locally on fly. Is it expected behavior?
[nss] ... fallback_homedir = /home/%u override_homedir = /home/%u ...
Do I suppose to make change in pam to get it work?
Yes, you should put pam_mkhomedir or pam_oddjob into the session stack.
Another problem - with group IDs:
After login to the terminal, I get the long list of warnings for all groups 1172xxxxx - it really delays login, as the list is long. Do I miss some config options ?
su - testuser ... groups: cannot find name for group ID XXXXXXX ...
That's quite suspicious. How deep is your nesting structure? Are the groups that you only see numbers for two or more levels deep? The only known bug that could be related is https://fedorahosted.org/sssd/ticket/1755
can you try setting ldap_group_nesting_level to a higher number to check if the issue is resolved?
id -G testuser 332400513 332411734 332411220 332411221 332405659 332410635 332403786 332403699 332407177 332408204 332408312 332406100 332408307 332413664 332402685 332402830 332411184
id -G -n testuser domain users data-nat-nat-it-groupdrive rw nat-fnc-pri-setdiscription nat-pri-setcomputerdesc imada-terminal-users nat-it-outlook-admin nat-terminal-users terminal brugere dl-nat-it-staff nat-it-ansatte nat-it-ad-hoc nat-esignatur dl-nat-it nat-ctxusers common_users nat-lectures nat-booking
id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users),1172612322,1172651920,1172657894,1172606592,1172607216, 332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(i-terminal-users), 332410635(nat-it-outlook-a),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte), 332408312(nat-it-ad-hoc),332406100(nat-esignatur),1172648735,332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking), 332408307(dl-nat-it),1172668083,1172671850,1172626924,1172670697,1172632585,1172647528,1172673996, 1172630281,1172650784,1172649006,1172646018,1172626637,1172668082,1172647518,1172647527,1172647519, 1172671034,1172652129,1172650787,1172608193,1172646019,1172649007,1172645844,1172630472,1172648739,1172645167, 1172649004,1172649400,1172671853,1172650786,1172645166,1172645845,988802256,1172649005,1172659655,1172647852,1172633504, 1172667765,1172666809,1172645842,1172649046,1172667764,1172647523,1172626846,1172633505,1172645161,1172658369,1172645843, 1172616454,1172659249,1172645163,1172644173,1172670698,988803287,1172645162,1172645841,1172659248,1172666810,1172659262,1172626838, ........(a lot of groups)... 1172648736,1172679679,1172622933,1172679716,1172645975,1172671030,1172620701,1172681776,1172650191
Best Longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Feb 27, 2013 at 10:11:03AM +0000, Longina Przybyszewska wrote:
Another problem - with group IDs:
After login to the terminal, I get the long list of warnings for all groups 1172xxxxx - it really delays login, as the list is long. Do I miss some config options ?
su - testuser ... groups: cannot find name for group ID XXXXXXX ...
That's quite suspicious. How deep is your nesting structure? Are the groups that you only see numbers for two or more levels deep? The only known bug that could be related is https://fedorahosted.org/sssd/ticket/1755
can you try setting ldap_group_nesting_level to a higher number to check if the issue is resolved?
How can I find out about the nesting structure in AD?
I tried with nesting_level 3|4|5
It doesn't help for login issue - the same long list for all nesting levels of from command
su - testuser
The number of groups listed in 'id ' command changes with 'nesting_level':
(Nesting level =5) alongina@victoria:~$ id -G testuser 332400513 alongina@victoria:~$ id -G -n testuser domain users alongina@victoria:~$ id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users)
(nesting level=4)
alongina@victoria:~$ id -G testuser 332400513 332411734 332411220 332411221 332405659 332410635 332403786 332403699 332407177 332408204 332408312 332406100 332408307 332413664 332402685 332402830 332411184 alongina@victoria:~$ id -G -n testuser domain users data-nat-nat-it-groupdrive rw nat-fnc-pri-setdiscription nat-pri-setcomputerdesc imada-terminal-users nat-it-outlook-admin nat-terminal-users terminal brugere dl-nat-it-staff nat-it-ansatte nat-it-ad-hoc nat-esignatur dl-nat-it nat-ctxusers common_users nat-lectures nat-booking alongina@victoria:~$ id testuser uid=332405654(longina) gid=332400513(domain users) groups=332400513(domain users),332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(imada-terminal-users),332410635(nat-it-outlook-admin),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte),332408312(nat-it-ad-hoc),332406100(nat-esignatur),332408307(dl-nat-it),332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking)
It depends somehow on cache. Just after emptying cache I get the very long listing.
root@victoria:/var/lib/sss/db# service sssd stop sssd stop/waiting root@victoria:/var/lib/sss/db# \rm -rf * root@victoria:/var/lib/sss/db# service sssd start sssd start/running, process 3635 root@victoria:/var/lib/sss/db# id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(doma in users),332402685(common_users),1172668083,1172671850,1172626924,11726 70697,1172632585,1172657894,1172647528,1172673996,1172630281,1172650784, 1172649006,1172646018,1172626637,1172668082,1172647518,332406100(nat-esi gnatur),332403786(nat-terminal-users),1172647527,332405659(imada-termina l-users),1172647519,1172671034,1172652129,1172650787,1172608193,11726460 19,1172649007,1172645844,1172630472,1172648739,1172645167,332402830(nat- lectures),1172649004,1172649400,1172671853,1172650786,332408307(dl-nat-i t),1172645166,1172645845,988802256,1172651920,1172649005,1172659655,1172 606592,1172647852,1172633504,1172667765,1172666809,1172645842,1172649046 ,1172667764,1172647523,1172626846,1172633505,1172645161,1172658369,11726 45843,1172616454,1172607216,332411221(nat-pri-setcomputerdesc),117265924 9,332410635(nat-it-outlook-admin),1172645163,1172644173,1172670698,98880 3287,1172645162,1172645841,1172659248,1172666810,1172659262,1172626838,1 172647520,988807606,1172626843,332411220(nat-fnc-pri-setdiscription),117 2612780,1172649045,1172645152,1172645147,1172626938,1172658370,117265836 5,1172630586,1172649398,1172627322,332413664(nat -ctxusers),1172607213,1172626943,1172649060,1172681172,332408204(nat-it-ansatte),1172632583,1172658364,1172626827,332407177(dl-nat-it-staff),1172658371,1172653861,1172645344,332403699(terminal brugere),1172649061,1172645146,1172632578,1172671847,1172626940,1172626841,1172648741,1172649062,1172632579,1172658363,1172627278,1172645150,1172653860,332411184(nat-booking),332408312(nat-it-ad-hoc),1172632582,1172645145,1172671028,1172645144,1172627767,1172626935,1172632581,1172672165,1172645151,1172671032,332411734(data-nat-nat-it-groupdrive rw),1172657810,1172612322,1172650789,1172648253,1172657811,1172681132,1172648254,1172649064,1172627766,1172645974,1172672164,1172671286,1172632580,1172648736,1172679679,1172622933,1172679716,1172645975,1172671030,1172620701,1172681776,1172650191,1172648735
The same command issued immediately again produces different output:
id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users),1172649061,1172649062,1172649064,1172650191,1172650789,1172651920,1172653860,1172653861,1172657810,1172657811,1172657894,1172658363,1172658371,1172668083,1172670697,1172671028,1172671030,1172671032,1172671286,1172671847,1172671850,1172672164,1172672165,1172679679,1172679716,1172681132,1172681776,332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(imada-terminal-users),332410635(nat-it-outlook-admin),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte),332408312(nat-it-ad-hoc),332406100(nat-esignatur),332408307(dl-nat-it),332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking)
Longina
On Wed, Feb 27, 2013 at 01:36:58PM +0000, Longina Przybyszewska wrote:
On Wed, Feb 27, 2013 at 10:11:03AM +0000, Longina Przybyszewska wrote:
Another problem - with group IDs:
After login to the terminal, I get the long list of warnings for all groups 1172xxxxx - it really delays login, as the list is long. Do I miss some config options ?
su - testuser ... groups: cannot find name for group ID XXXXXXX ...
That's quite suspicious. How deep is your nesting structure? Are the groups that you only see numbers for two or more levels deep? The only known bug that could be related is https://fedorahosted.org/sssd/ticket/1755
can you try setting ldap_group_nesting_level to a higher number to check if the issue is resolved?
How can I find out about the nesting structure in AD?
I tried with nesting_level 3|4|5
It doesn't help for login issue - the same long list for all nesting levels of from command
su - testuser
The number of groups listed in 'id ' command changes with 'nesting_level':
(Nesting level =5) alongina@victoria:~$ id -G testuser 332400513 alongina@victoria:~$ id -G -n testuser domain users alongina@victoria:~$ id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users)
(nesting level=4)
alongina@victoria:~$ id -G testuser 332400513 332411734 332411220 332411221 332405659 332410635 332403786 332403699 332407177 332408204 332408312 332406100 332408307 332413664 332402685 332402830 332411184 alongina@victoria:~$ id -G -n testuser domain users data-nat-nat-it-groupdrive rw nat-fnc-pri-setdiscription nat-pri-setcomputerdesc imada-terminal-users nat-it-outlook-admin nat-terminal-users terminal brugere dl-nat-it-staff nat-it-ansatte nat-it-ad-hoc nat-esignatur dl-nat-it nat-ctxusers common_users nat-lectures nat-booking alongina@victoria:~$ id testuser uid=332405654(longina) gid=332400513(domain users) groups=332400513(domain users),332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(imada-terminal-users),332410635(nat-it-outlook-admin),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte),332408312(nat-it-ad-hoc),332406100(nat-esignatur),332408307(dl-nat-it),332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking)
It depends somehow on cache. Just after emptying cache I get the very long listing.
root@victoria:/var/lib/sss/db# service sssd stop sssd stop/waiting root@victoria:/var/lib/sss/db# \rm -rf * root@victoria:/var/lib/sss/db# service sssd start sssd start/running, process 3635 root@victoria:/var/lib/sss/db# id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(doma in users),332402685(common_users),1172668083,1172671850,1172626924,11726 70697,1172632585,1172657894,1172647528,1172673996,1172630281,1172650784, 1172649006,1172646018,1172626637,1172668082,1172647518,332406100(nat-esi gnatur),332403786(nat-terminal-users),1172647527,332405659(imada-termina l-users),1172647519,1172671034,1172652129,1172650787,1172608193,11726460 19,1172649007,1172645844,1172630472,1172648739,1172645167,332402830(nat- lectures),1172649004,1172649400,1172671853,1172650786,332408307(dl-nat-i t),1172645166,1172645845,988802256,1172651920,1172649005,1172659655,1172 606592,1172647852,1172633504,1172667765,1172666809,1172645842,1172649046 ,1172667764,1172647523,1172626846,1172633505,1172645161,1172658369,11726 45843,1172616454,1172607216,332411221(nat-pri-setcomputerdesc),117265924 9,332410635(nat-it-outlook-admin),1172645163,1172644173,1172670698,98880 3287,1172645162,1172645841,1172659248,1172666810,1172659262,1172626838,1 172647520,988807606,1172626843,332411220(nat-fnc-pri-setdiscription),117 2612780,1172649045,1172645152,1172645147,1172626938,1172658370,117265836 5,1172630586,1172649398,1172627322,332413664(nat -ctxusers),1172607213,1172626943,1172649060,1172681172,332408204(nat-it-ansatte),1172632583,1172658364,1172626827,332407177(dl-nat-it-staff),1172658371,1172653861,1172645344,332403699(terminal brugere),1172649061,1172645146,1172632578,1172671847,1172626940,1172626841,1172648741,1172649062,1172632579,1172658363,1172627278,1172645150,1172653860,332411184(nat-booking),332408312(nat-it-ad-hoc),1172632582,1172645145,1172671028,1172645144,1172627767,1172626935,1172632581,1172672165,1172645151,1172671032,332411734(data-nat-nat-it-groupdrive rw),1172657810,1172612322,1172650789,1172648253,1172657811,1172681132,1172648254,1172649064,1172627766,1172645974,1172672164,1172671286,1172632580,1172648736,1172679679,1172622933,1172679716,1172645975,1172671030,1172620701,1172681776,1172650191,1172648735
The same command issued immediately again produces different output:
id testuser uid=332405654(testuser) gid=332400513(domain users) groups=332400513(domain users),1172649061,1172649062,1172649064,1172650191,1172650789,1172651920,1172653860,1172653861,1172657810,1172657811,1172657894,1172658363,1172658371,1172668083,1172670697,1172671028,1172671030,1172671032,1172671286,1172671847,1172671850,1172672164,1172672165,1172679679,1172679716,1172681132,1172681776,332411734(data-nat-nat-it-groupdrive rw),332411220(nat-fnc-pri-setdiscription),332411221(nat-pri-setcomputerdesc),332405659(imada-terminal-users),332410635(nat-it-outlook-admin),332403786(nat-terminal-users),332403699(terminal brugere),332407177(dl-nat-it-staff),332408204(nat-it-ansatte),332408312(nat-it-ad-hoc),332406100(nat-esignatur),332408307(dl-nat-it),332413664(nat-ctxusers),332402685(common_users),332402830(nat-lectures),332411184(nat-booking)
Longina
OK, this sounds like some kind of a bug.
Can you try removing all caches, including the memory cache (rm -f /var/lib/sss/db/cache_*.ldb /var/lib/sss/mc/*), raise debugging in the [domain] section and attach /var/log/sssd/sssd_$domain.log ? That should help identify why we are not resolving all the gids.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Longina Przybyszewska