Some more information on my ongoing issue based on the ideas suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the keytab was not initialized. I tried to initialize via the command you provided, but was given an error " kinit: Keytab contains no suitable keys for V-REPO-OP-02$@AD_DOMAIN"
I was able to initialize the keytab by using kinit -n UserID.
Then I was able to perform an ldap search and pull all group membership as well as userid that are members of that group.
Getent group "NWgroupname" still does not work.
Mike Karich
-----Original Message----- From: Karich, Michael Sent: Friday, October 24, 2014 8:10 AM To: 'sssd-users@lists.fedorahosted.org' Subject: RE: [SSSD-users] Getent group not fully working
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd --version.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Friday, October 24, 2014 7:00 AM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 16
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
1. Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael) 2. Re: sssd-users Digest, Vol 30, Issue 15 (steve) 3. Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
----------------------------------------------------------------------
Message: 1 Date: Thu, 23 Oct 2014 20:39:55 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C2376046BB@UTDEX32.campus.ad.utdallas.edu Content-Type: text/plain; charset="utf-8"
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Thursday, October 23, 2014 3:11 PM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 15
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
1. Getent group not fully working (Karich, Michael) 2. Re: Getent group not fully working (steve) 3. Re: Getent group not fully working (Dmitri Pal)
----------------------------------------------------------------------
Message: 1 Date: Thu, 23 Oct 2014 18:36:27 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Getent group not fully working Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C237603A8E@UTDEX32.campus.ad.utdallas.edu Content-Type: text/plain; charset="utf-8"
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20141023/af040b36/attachment-0001.html
------------------------------
Message: 2 Date: Thu, 23 Oct 2014 21:52:49 +0200 From: steve steve@steve-ss.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Getent group not fully working Message-ID: 54495C91.3040803@steve-ss.com Content-Type: text/plain; charset=utf-8; format=flowed
On 23/10/14 20:36, Karich, Michael wrote:
Good afternoon,
I have run into an issue on Cent 7 with sssd configured
Do you have access to sssd.conf on your system?
------------------------------
Message: 3 Date: Thu, 23 Oct 2014 16:11:16 -0400 From: Dmitri Pal dpal@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Getent group not fully working Message-ID: 544960E4.7030106@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 10/23/2014 02:36 PM, Karich, Michael wrote:
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can “getent group MOSTGROUPS”. But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
What version of SSSD?
Did you get get all the right groups when user actually logs in? If this is the case than it is a known and expected behavior in 1.11.x. If you are using the latest 1.12.x you should see all groups so if you do not then this is a bug.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1
Username list!
Getent group “Group 2”
Username list!
Getent group group3 (user is a long time member of group in AD)
Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
*Mike Karich*
*IT Manager*
*Center for Vital Longevity*
*1600 Viceroy Rd*
*Dallas, TX 75235*
**
*mkarich@utdallas.edu* mailto:mkarich@utdallas.edu**
*P: 972-883-3745 C: 972-757-3299*
**
*CVL IT Assistance: **CVLTech@utdallas.edu* mailto:CVLTech@utdallas.edu**
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20141023/534b4d58/attachment.html
------------------------------
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
End of sssd-users Digest, Vol 30, Issue 15 ******************************************
------------------------------
Message: 2 Date: Thu, 23 Oct 2014 23:23:06 +0200 From: steve steve@steve-ss.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: 544971BA.7020708@steve-ss.com Content-Type: text/plain; charset=utf-8; format=flowed
On 23/10/14 22:39, Karich, Michael wrote:
Yes I do have access to my sssd.conf
Hi OK. login first or use 1.12.2 HTH, Steve
------------------------------
Message: 3 Date: Fri, 24 Oct 2014 00:33:16 +0200 From: Lukas Slebodnik lslebodn@redhat.com To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: 20141023223315.GA14325@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8
On (23/10/14 20:39), Karich, Michael wrote:
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
LS
------------------------------
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
End of sssd-users Digest, Vol 30, Issue 16 ******************************************
On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote:
Some more information on my ongoing issue based on the ideas suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the keytab was not initialized. I tried to initialize via the command you provided, but was given an error " kinit: Keytab contains no suitable keys for V-REPO-OP-02$@AD_DOMAIN"
Ah, sorry, I pretty much only read your sssd logs, maybe the principal is different.
Can you show what does "klist -k" say?
I was able to initialize the keytab by using kinit -n UserID.
kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally, the keytab is only accessible to the root user.
Then I was able to perform an ldap search and pull all group membership as well as userid that are members of that group.
Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
Getent group "NWgroupname" still does not work.
Mike Karich
-----Original Message----- From: Karich, Michael Sent: Friday, October 24, 2014 8:10 AM To: 'sssd-users@lists.fedorahosted.org' Subject: RE: [SSSD-users] Getent group not fully working
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd --version.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Friday, October 24, 2014 7:00 AM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 16
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael)
- Re: sssd-users Digest, Vol 30, Issue 15 (steve)
- Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
Message: 1 Date: Thu, 23 Oct 2014 20:39:55 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C2376046BB@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Thursday, October 23, 2014 3:11 PM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 15
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Getent group not fully working (Karich, Michael)
- Re: Getent group not fully working (steve)
- Re: Getent group not fully working (Dmitri Pal)
Message: 1 Date: Thu, 23 Oct 2014 18:36:27 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Getent group not fully working Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C237603A8E@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu
I have found the issue, and it seems that the ldap id mapping was truncating the remaining user ID’s. after increasing the slice range to 1,000,000 I was able to get the newer id’s to map. Below is the config I used.
Thank you all for your help.
ldap_idmap_default_domain = DOMAIN ldap_idmap_range_min = 100000 ldap_idmap_range_max = 1000000000 ldap_idmap_range_size = 1000000
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edu
On Oct 29, 2014, at 4:22 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote: Some more information on my ongoing issue based on the ideas suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the keytab was not initialized. I tried to initialize via the command you provided, but was given an error " kinit: Keytab contains no suitable keys for V-REPO-OP-02$@AD_DOMAIN"
Ah, sorry, I pretty much only read your sssd logs, maybe the principal is different.
Can you show what does "klist -k" say?
I was able to initialize the keytab by using kinit -n UserID.
kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally, the keytab is only accessible to the root user.
Then I was able to perform an ldap search and pull all group membership as well as userid that are members of that group.
Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
Getent group "NWgroupname" still does not work.
Mike Karich
-----Original Message----- From: Karich, Michael Sent: Friday, October 24, 2014 8:10 AM To: 'sssd-users@lists.fedorahosted.org' Subject: RE: [SSSD-users] Getent group not fully working
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd --version.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Friday, October 24, 2014 7:00 AM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 16
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
1. Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael) 2. Re: sssd-users Digest, Vol 30, Issue 15 (steve) 3. Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
----------------------------------------------------------------------
Message: 1 Date: Thu, 23 Oct 2014 20:39:55 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C2376046BB@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Thursday, October 23, 2014 3:11 PM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 15
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
1. Getent group not fully working (Karich, Michael) 2. Re: Getent group not fully working (steve) 3. Re: Getent group not fully working (Dmitri Pal)
----------------------------------------------------------------------
Message: 1 Date: Thu, 23 Oct 2014 18:36:27 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Getent group not fully working Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C237603A8E@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20141023/af040b36/attachment-0001.html
------------------------------
Message: 2 Date: Thu, 23 Oct 2014 21:52:49 +0200 From: steve steve@steve-ss.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Getent group not fully working Message-ID: 54495C91.3040803@steve-ss.com Content-Type: text/plain; charset=utf-8; format=flowed
On 23/10/14 20:36, Karich, Michael wrote: Good afternoon,
I have run into an issue on Cent 7 with sssd configured
Do you have access to sssd.conf on your system?
------------------------------
Message: 3 Date: Thu, 23 Oct 2014 16:11:16 -0400 From: Dmitri Pal dpal@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Getent group not fully working Message-ID: 544960E4.7030106@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 10/23/2014 02:36 PM, Karich, Michael wrote:
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can “getent group MOSTGROUPS”. But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
What version of SSSD?
Did you get get all the right groups when user actually logs in? If this is the case than it is a known and expected behavior in 1.11.x. If you are using the latest 1.12.x you should see all groups so if you do not then this is a bug.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1
Username list!
Getent group “Group 2”
Username list!
Getent group group3 (user is a long time member of group in AD)
Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
*Mike Karich*
*IT Manager*
*Center for Vital Longevity*
*1600 Viceroy Rd*
*Dallas, TX 75235*
**
*mkarich@utdallas.edu* mailto:mkarich@utdallas.edu**
*P: 972-883-3745 C: 972-757-3299*
**
*CVL IT Assistance: **CVLTech@utdallas.edu* mailto:CVLTech@utdallas.edu**
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20141023/534b4d58/attachment.html
------------------------------
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
End of sssd-users Digest, Vol 30, Issue 15 ******************************************
------------------------------
Message: 2 Date: Thu, 23 Oct 2014 23:23:06 +0200 From: steve steve@steve-ss.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: 544971BA.7020708@steve-ss.com Content-Type: text/plain; charset=utf-8; format=flowed
On 23/10/14 22:39, Karich, Michael wrote: Yes I do have access to my sssd.conf
Hi OK. login first or use 1.12.2 HTH, Steve
------------------------------
Message: 3 Date: Fri, 24 Oct 2014 00:33:16 +0200 From: Lukas Slebodnik lslebodn@redhat.com To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: 20141023223315.GA14325@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8
On (23/10/14 20:39), Karich, Michael wrote: Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
LS
------------------------------
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
End of sssd-users Digest, Vol 30, Issue 16 ****************************************** _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Oct 29, 2014 at 08:13:05PM +0000, Karich, Michael wrote:
I have found the issue, and it seems that the ldap id mapping was truncating the remaining user ID’s. after increasing the slice range to 1,000,000 I was able to get the newer id’s to map. Below is the config I used.
Glad it's working now!
Thank you all for your help.
ldap_idmap_default_domain = DOMAIN ldap_idmap_range_min = 100000 ldap_idmap_range_max = 1000000000 ldap_idmap_range_size = 1000000
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edu
On Oct 29, 2014, at 4:22 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote: Some more information on my ongoing issue based on the ideas suggested by Jakub.
I did use realmd to initiate the keytab and join the system to the domain.
When first performing the ldapsearch. I received an error that the keytab was not initialized. I tried to initialize via the command you provided, but was given an error " kinit: Keytab contains no suitable keys for V-REPO-OP-02$@AD_DOMAIN"
Ah, sorry, I pretty much only read your sssd logs, maybe the principal is different.
Can you show what does "klist -k" say?
I was able to initialize the keytab by using kinit -n UserID.
kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally, the keytab is only accessible to the root user.
Then I was able to perform an ldap search and pull all group membership as well as userid that are members of that group.
Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
Getent group "NWgroupname" still does not work.
Mike Karich
-----Original Message----- From: Karich, Michael Sent: Friday, October 24, 2014 8:10 AM To: 'sssd-users@lists.fedorahosted.org' Subject: RE: [SSSD-users] Getent group not fully working
Could you test with sssd-1.11.7? Here is a link to yum repo https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd --version.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Friday, October 24, 2014 7:00 AM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 16
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael)
- Re: sssd-users Digest, Vol 30, Issue 15 (steve)
- Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
Message: 1 Date: Thu, 23 Oct 2014 20:39:55 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15 Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C2376046BB@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Yes I do have access to my sssd.conf
I have replaced the domain with case equivalent domain
[sssd] config_file_version = 2 domains = domain services = nss, pam debug_level = 10 default_domain_suffix = domain
[nss]
[pam]
[domain/"domain"] ad_domain = domain krb5_realm = DOMAIN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
I am using 1.11.2. Which repo will have the latest version for centos 7?
When running groups as an AD user, the same groups are printed as when running ID username. Both listings are incomplete and missing the same groups.
Mike Karich
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of sssd-users-request@lists.fedorahosted.org Sent: Thursday, October 23, 2014 3:11 PM To: sssd-users@lists.fedorahosted.org Subject: sssd-users Digest, Vol 30, Issue 15
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org
You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..."
Today's Topics:
- Getent group not fully working (Karich, Michael)
- Re: Getent group not fully working (steve)
- Re: Getent group not fully working (Dmitri Pal)
Message: 1 Date: Thu, 23 Oct 2014 18:36:27 +0000 From: "Karich, Michael" mkarich@utdallas.edu To: "sssd-users@lists.fedorahosted.org" sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Getent group not fully working Message-ID: E8485E913DD2CB46BC9E4A14AA1E65C237603A8E@UTDEX32.campus.ad.utdallas.edu
Content-Type: text/plain; charset="utf-8"
Good afternoon,
I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to auth via AD usernames and passwords without issue and can "getent group MOSTGROUPS". But I have run into an issue where there are some groups that are not being seen / discovered / enumerated etc.
ID of a validated username will display most of the groups, but there are some groups that are not listed which are also those are also the ones that fail getent group. I cannot find a pattern in what groups fail to enumerate. At first I thought it was length, but there are group names over 20 characters that succeed.
EX. ID of user1:
Group1, group 2, group 5
Getent group group1 Username list!
Getent group "Group 2" Username list!
Getent group group3 (user is a long time member of group in AD) Blank output
Strace reveals that the command exited with status 2. Nothing is logged in sssd_DOMAIN.log
Please let me know where to look next, thank you.
Mike Karich IT Manager Center for Vital Longevity 1600 Viceroy Rd Dallas, TX 75235
mkarich@utdallas.edumailto:mkarich@utdallas.edu P: 972-883-3745 C: 972-757-3299
CVL IT Assistance: CVLTech@utdallas.edumailto:CVLTech@utdallas.edu
sssd-users@lists.fedorahosted.org