On Fri, 2019-08-30 at 18:52 +0200, Sumit Bose wrote:
On Fri, Aug 30, 2019 at 04:07:39PM +0000, Joakim Tjernlund wrote:
> Decided to try out 2.2.1 and also gave enumerate a try and got somewhat strange
results:
>
> sssd # getent group
> cjhfj4j_admins:*:145421:
> ....
>
> No group members ?
>
>
> getent passwd
> Only list linux system users and myself
> Where are the rest of the users ?
Hi,
since we typically recommend to not use enumeration it might not get the
required testing. Nevertheless can you send your (sanitized) sssd.conf
so that we can try to reproduce the issue?
Hi Sumit,
here is sanitized sssd.conf
[sssd]
config_file_version = 2
domains =
xxx.com
services = nss, pam
#debug_level = 0x0fff
[nss]
fallback_homedir = /home/%u
default_shell = /bin/bash
#debug_level = 0x0fff
enum_cache_timeout = 3600
entry_negative_timeout = 300
[pam]
#debug_level = 0x0fff
[
domain/xxx.com]
#debug_level = 0xffff
timeout = 30
ad_maximum_machine_account_password_age = 0
ignore_group_members = false
ldap_id_mapping = false
cache_credentials = true
enumerate = true
ldap_enumeration_refresh_timeout = 1800
entry_cache_timeout = 3600
refresh_expired_interval = 2700
id_provider = ad
auth_provider = ad
access_provider = permit
chpass_provider = ad
ad_server =
yyy01.xxx.com,yyy02.xxx.com
ad_backup_server =
byyy01.xxx.com,byyy.xxx.com
dyndns_auth = none
dyndns_iface = vpn0, wlan0, eth0
dyndns_update = true
dyndns_refresh_interval = 600
dyndns_update_ptr = true
dyndns_ttl = 3600
case_sensitive = false
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm =
XXX.COM
krb5_canonicalize = true
krb5_store_password_if_offline = true
krb5_use_kdcinfo = False
krb5_renewable_lifetime = 7d
krb5_lifetime = 24h
krb5_renew_interval = 4h