On Mon, 2014-08-11 at 18:31 +0000, Nordgren, Bryce L -FS wrote:
I have an external LDAP metadirectory acting as an identity provider
for my linux domain. The metadirectory overrides and supplements the
upstream identity source (e.g., it passes thru sn, givenName, mail,
telephoneNumber; but overrides or adds uidNumber, gidNumber,
loginShell, etc.) The directory also holds RFC2307 group information,
and the groups contain members from multiple upstream sources.
Authentication via simple bind (for web apps) is passed thru to the
relevant upstream provider. LDAP works great.
For command line login, I want to use Kerberos. Each upstream provider
is configured as a domain within sssd which uses LDAP for identities
and Kerberos for authentication. The local, linux domain-wide groups
are included as one of the domain definitions, but not the others. For
instance, I have defined domain A, B, and C. Domain A contains group
information having members from all three. Domains B and C essentially
have no groups defined.
"Getent passwd user works." Authentication works. "getent group
works, initially...SSSD is removing users from my group. sss_cache -G
restores the user (i.e., getent group test includes the user), but the
first time the user tries to exercise their permissions by accessing a
file on the filesystem, they get a permission denied and are removed
from the group (getent group test does not include the user).
Are cross-realm groups something that sssd is designed to prohibit?
Yes, sssd silos each identity domain completely, the only 'exception' is
local groups but that's almost an accident of how nsswitch worked
Simo Sorce * Red Hat, Inc * New York