I got 2 domains configured in sssd and the id cmd behaves odd: gentoo-LABBBB sssd # id jocke@transmode.se uid=1001(jocke) gid=100(users) groups=100(users),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw),1172056169(se-rnd) gentoo-LABBBB sssd # id jocke@infinera.com uid=1172051010(jocke) gid=1172056169(se-rnd) groups=1172056169(se-rnd),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw)
Notice how uid/gid differs but the group names are the same(they should not be) It turns out that the "groups" list depends on the domains = infinera.com,transmode.se setting. Whichever is first wins.
Thoughts? Using sssd-1.13.4
Jocke
On (08/06/16 09:16), Joakim Tjernlund wrote:
I got 2 domains configured in sssd and the id cmd behaves odd: gentoo-LABBBB sssd # id jocke@transmode.se uid=1001(jocke) gid=100(users) groups=100(users),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw),1172056169(se-rnd) gentoo-LABBBB sssd # id jocke@infinera.com uid=1172051010(jocke) gid=1172056169(se-rnd) groups=1172056169(se-rnd),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw)
Notice how uid/gid differs but the group names are the same(they should not be) It turns out that the "groups" list depends on the domains = infinera.com,transmode.se setting. Whichever is first wins.
It took me some time to find a difference. So the difference is in primary group (onece it's gid=100(users) and later it is gid=1172056169(se-rnd).
What was a delay between two calls of "id jocke@transmode.se"? I would not expect short delay due to fast cache.
BTW, I would suggest to test with simpler command: "getent passwd jocke@transmode.se" The primary group is the second number in output.
I would suggest to look into following wiki. https://fedorahosted.org/sssd/wiki/Troubleshooting and find some errors in nss.log and sssd_$domain.log
LS
On (10/06/16 11:31), Lukas Slebodnik wrote:
On (08/06/16 09:16), Joakim Tjernlund wrote:
I got 2 domains configured in sssd and the id cmd behaves odd: gentoo-LABBBB sssd # id jocke@transmode.se uid=1001(jocke) gid=100(users) groups=100(users),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw),1172056169(se-rnd) gentoo-LABBBB sssd # id jocke@infinera.com uid=1172051010(jocke) gid=1172056169(se-rnd) groups=1172056169(se-rnd),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw)
Notice how uid/gid differs but the group names are the same(they should not be) It turns out that the "groups" list depends on the domains = infinera.com,transmode.se setting. Whichever is first wins.
It took me some time to find a difference. So the difference is in primary group (onece it's gid=100(users) and later it is gid=1172056169(se-rnd).
What was a delay between two calls of "id jocke@transmode.se"? I would not expect short delay due to fast cache.
BTW, I would suggest to test with simpler command: "getent passwd jocke@transmode.se" The primary group is the second number in output.
I would suggest to look into following wiki. https://fedorahosted.org/sssd/wiki/Troubleshooting and find some errors in nss.log and sssd_$domain.log
Ahh, I totally missed that fully qualified name of user is different.
LS
On Wed, Jun 08, 2016 at 09:16:29AM +0000, Joakim Tjernlund wrote:
I got 2 domains configured in sssd and the id cmd behaves odd:
Does it help if you switch on fully qualified names by setting
use_fully_qualified_names = True
in each of the two domain sections?
bye, Sumit
gentoo-LABBBB sssd # id jocke@transmode.se uid=1001(jocke) gid=100(users) groups=100(users),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw),1172056169(se-rnd) gentoo-LABBBB sssd # id jocke@infinera.com uid=1172051010(jocke) gid=1172056169(se-rnd) groups=1172056169(se-rnd),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw)
Notice how uid/gid differs but the group names are the same(they should not be) It turns out that the "groups" list depends on the domains = infinera.com,transmode.se setting. Whichever is first wins.
Thoughts? Using sssd-1.13.4
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Joakim Tjernlund -
Lukas Slebodnik -
Sumit Bose