i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307. i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. i am finding that when i ssh into one of the new boxes and run "id", i am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
the info is all the rfc2307/posix info, and not any of the rfc2307bis info. i am a member of several other groups that are groupOfNames objects, but the "id" command is not returning them.
is there a client side config that i am missing, in order to get the group memberships of groupOfNames groups? i imagine i could add the posixAccount object class to those groupOfNames groups, but wanted to make sure that was the only/right way to do things before i did it.
i am not clueless, just have one clue less...
brendan
On 01/08/2015 08:33 PM, Brendan Kearney wrote:
i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307.
Are you talking about server or client? Is your server IPA or something else?
If your server is IPA then if you want to use 2307bis you point clients to the main user tree. If you want clients that do not understand 2307bis (for example solaris) you need to enable compat plugin and point clients to cn=compat.
If SSSD is configured to use 2307bis but server is 2307 or vice verse SSSD will have problems fetching groups.
i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. i am finding that when i ssh into one of the new boxes and run "id", i am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
the info is all the rfc2307/posix info, and not any of the rfc2307bis info. i am a member of several other groups that are groupOfNames objects, but the "id" command is not returning them.
is there a client side config that i am missing, in order to get the group memberships of groupOfNames groups? i imagine i could add the posixAccount object class to those groupOfNames groups, but wanted to make sure that was the only/right way to do things before i did it.
man sssd-ldap
i am not clueless, just have one clue less...
brendan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, 2015-01-08 at 21:19 -0500, Dmitri Pal wrote:
On 01/08/2015 08:33 PM, Brendan Kearney wrote:
i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307.
Are you talking about server or client? Is your server IPA or something else?
If your server is IPA then if you want to use 2307bis you point clients to the main user tree. If you want clients that do not understand 2307bis (for example solaris) you need to enable compat plugin and point clients to cn=compat.
If SSSD is configured to use 2307bis but server is 2307 or vice verse SSSD will have problems fetching groups.
i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. i am finding that when i ssh into one of the new boxes and run "id", i am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
the info is all the rfc2307/posix info, and not any of the rfc2307bis info. i am a member of several other groups that are groupOfNames objects, but the "id" command is not returning them.
is there a client side config that i am missing, in order to get the group memberships of groupOfNames groups? i imagine i could add the posixAccount object class to those groupOfNames groups, but wanted to make sure that was the only/right way to do things before i did it.
man sssd-ldap
i am not clueless, just have one clue less...
brendan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
my new environment is 2 servers and a client. the servers are fedora 20, with ldap, kerberos, sasl and sssd, but not IPA. the client is fedora 20 with sssd. in both/all cases, they are rfc2307bis.
i have read the sssd man pages, but i am not sure what i am missing.
the client sssd.conf:
[sssd] domains = bpk2.com services = nss, pam, sudo config_file_version = 2 #debug_level = 4
[nss] filter_groups = root filter_users = root
[pam]
[sudo]
[domain/bpk2.com] #debug_level = 4 id_provider = ldap ldap_schema = rfc2307bis ldap_uri = _srv_,ldap://ldap1.bpk2.com,ldap://ldap2.bpk2.com ldap_search_base = dc=bpk2,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/nas.bpk2.com ldap_sasl_realm = BPK2.COM
auth_provider = krb5 krb5_server = _srv_,kerberos.bpk2.com krb5_realm = BPK2.COM krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_renew_interval = 1h krb5_store_password_if_offline = true cache_credentials = true
sudo_provider = ldap ldap_sudo_search_base = ou=SUDO Groups,ou=Roles,dc=bpk2,dc=com #ldap_sudo_full_refresh_interval=86400 #ldap_sudo_smart_refresh_interval=3600
#min_id = 1000 #max_id = 2000 enumerate = false
On Thu, Jan 08, 2015 at 08:33:09PM -0500, Brendan Kearney wrote:
i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307. i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. i am finding that when i ssh into one of the new boxes and run "id", i am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
The uid values are suspiciously low. Are you sure there is no /local/ account in /etc/passwd named brendan that would be shadowing the LDAP user?
Yes. These are brand new builds that I performed myself. There are no local accounts at all. I know they cause interference with sssd, etc if they overlap. On Jan 9, 2015 4:01 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
On Thu, Jan 08, 2015 at 08:33:09PM -0500, Brendan Kearney wrote:
i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307. i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. i am finding that when i ssh into one of the new boxes and run "id", i am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
The uid values are suspiciously low. Are you sure there is no /local/ account in /etc/passwd named brendan that would be shadowing the LDAP user? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Jan 09, 2015 at 08:03:11AM -0500, brendan kearney wrote:
Yes. These are brand new builds that I performed myself. There are no local accounts at all. I know they cause interference with sssd, etc if they overlap.
Can we see an example group, then? Feel free to obfuscate real names etc..
dn: cn=ldapEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com cn: ldapEngineers member: uid=brendan,ou=domainUsers,ou=Users,dc=bpk2,dc=com objectclass: groupOfNames objectclass: top
The group and member are working in ldap, as my acl's key off that group for access to the cn=config database On Jan 9, 2015 8:19 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
On Fri, Jan 09, 2015 at 08:03:11AM -0500, brendan kearney wrote:
Yes. These are brand new builds that I performed myself. There are no local accounts at all. I know they cause interference with sssd, etc if they overlap.
Can we see an example group, then? Feel free to obfuscate real names etc.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
brendan kearney wrote:
dn: cn=ldapEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com cn: ldapEngineers member: uid=brendan,ou=domainUsers,ou=Users,dc=bpk2,dc=com objectclass: groupOfNames objectclass: top
The group and member are working in ldap, as my acl's key off that group for access to the cn=config database On Jan 9, 2015 8:19 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
Object class 'posixGroup' and its attributes are missing?
Ciao, Michael.
Thats what I was looking to have confirmed.
So the OS wont actually recognize the groupOfNames group, but by adding the posix class and attributes, it can recognize the group name and gid?
I wanted to make sure there wasn't a more betterer or right way of doing things than how I was doing it. On Jan 9, 2015 8:45 AM, "Michael Ströder" michael@stroeder.com wrote:
brendan kearney wrote:
dn: cn=ldapEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com cn: ldapEngineers member: uid=brendan,ou=domainUsers,ou=Users,dc=bpk2,dc=com objectclass: groupOfNames objectclass: top
The group and member are working in ldap, as my acl's key off that group for access to the cn=config database On Jan 9, 2015 8:19 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
Object class 'posixGroup' and its attributes are missing?
Ciao, Michael.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
brendan kearney wrote:
So the OS wont actually recognize the groupOfNames group, but by adding the posix class and attributes, it can recognize the group name and gid?
The OS needs at least the POSIX-GID. Without it it's not a POSIX group at OS level.
You have to fiddle with schema installed at your LDAP server to use the RFC2307bis schema.
Note that migrating to this schema might exclude older NSS LDAP clients from using this data.
In a former project for maintaining backwards compability I defined a hybrid class for group entries derived from 'posixGroup' and 'groupOfNames' containing 'memberUID' (RFC2307) and 'member' (RFC2307bis) attributes. web2ldap's built-in group admin feature maintains both in sync. Whatever client you're using would have to also do this.
Ciao, Michael.
sssd-users@lists.fedorahosted.org
-
Brendan Kearney -
Dmitri Pal -
Jakub Hrozek -
Michael Ströder