With sssd-ad 1.12.0 we have the problem that all additional group memberships of a user are missing: ------------- # id ga57joh uid=3298478(ga57joh) gid=3000000(tu00000gv-0defprim) groups=3000000(tu00000gv-0defprim) ------------- Only the main groups shows, all additional groups like 3394681(tueilntgv-0all),3393702(tueilntgv-0staff) are missing.
We have the following /etc/sssd/sssd.conf: ------------- [sssd] config_file_version = 2 services = nss,pam domains = default
[nss] filter_groups = root filter_users = root
[pam] [domain/default] id_provider = ad auth_provider = ad access_provider = simple chpass_provider = ad ad_domain = ads.mwn.de #ad_enable_gc = False <-- even this does not help!
# Disable sssd-ad ID mapping, as we want to use posix data from AD ldap_id_mapping = False # Disable user enumeration for speed enumerate = False
# Set base DNs and scope for faster search ldap_search_base = DC=ads,DC=mwn,DC=de ldap_user_search_base = ou=Users,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de ldap_group_search_base = ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de -------------
Using sssd-ad 1.9.6, we get all groups successfully with the identical config!
We see the following message in /var/log/sssd/sssd_default.log: ------------- [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call [sdap_get_initgr_user] (0x4000): Process user's groups [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-32-545] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0080): Domain not found for SID S-1-5-32-545 [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-1499261727-55176102-3529509929-420311] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID S-1-5-21-1499261727-55176102-3529509929-420311 will be downloaded [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-1499261727-55176102-3529509929-571] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID S-1-5-21-1499261727-55176102-3529509929-571 will be downloaded ... [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [ne96soh] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1499261727-55176102-3529509929-420311)(objectclass=group)(name=*))][ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. [sdap_get_initgr_done] (0x4000): Initgroups done ------------- It looks like all the missing user groups are mentioned in the "Missing SID ... will be downloaded" messages, but are still missing in the end!
Any ideas?
Best regards, Joschi
Thanks, it looks like that problem is solved with 1.12.1.
Best regards, Joschi Brauchle
On 10/07/2014 09:40 PM, Lukas Slebodnik wrote:
On (07/10/14 19:45), Joschi Brauchle wrote:
With sssd-ad 1.12.0 we have the problem that all additional group memberships
Please upgrade to sssd 1.12.1
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org