First, I would like to appreciate all the help you could provide me. I have an issue with sssd and nss that I don't still understand quite well...
The point is that I have configured some servers with 2 active domains. The first domain is a freeipa managed environment and the second one is an AD domain.
But I recently noticed that if I try to obtain the uids and gids for several users, the groupnames have the right gid, but groupnames are wrong. I mean, what I detected is even all gids an uids retrieved by the id command are right, the names of the groups shown, sometimes are from the other domain. I think it always retrieve the name of the group of the first domain (domain1.com) if the gid exists there, but if don't, it will look for it in the sencond domain (addomain2.com). It seems this is a problem with the NSS, not exactly with the SSSD, event they are very linked. So, please, If this is not the better place to ask for this, I will appreciate help to look for help in another forum.
For instance:
[root@lab6 ~]# id user1 uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
where: * user1 is an user from the AD domain (addomain2.com) * gis are perfectly obtained * group1, group2 and group3 are from the AD domain (addomain2.com) * group5 and group6 are groups OR USERS form the FREEIPA domain (domain1.com)
I could understand that it is normal that it happens if I use the sortname way "id user1", but I think that not should happen with the long-user way: "ia user1@addomain2.com". I mean, this also happens if I do:
[root@lab6 ~]# id user1@addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
This is my sssd.conf:
[root@lab6 ~]# cat /etc/sssd/sssd.conf [domain/domain1.com] id_provider = ipa ipa_server = _srv_, freeipa01.domain1.com ipa_domain = domain1.com ipa_hostname = lab6.domain1.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
[domain/addomain2.com] ad_domain = addomain2.com krb5_realm = addomain2.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad krb5_keytab = /etc/krb5.keytab.ad ldap_krb5_keytab = /etc/krb5.keytab.ad ldap_id_mapping = false ad_enabled_domains = addomain2.com ad_gpo_access_control = disabled dyndns_update = false dns_resolver_timeout = 10 dns_resolver_op_timeout = 10 krb5_auth_timeout = 30 timeout = 30
[sssd] services = nss, pam, ssh, sudo domains = domain1.com,addomain2.com
[nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
[root@lab6 ~]# realm list domain1.com type: kerberos realm-name: domain1.com domain-name: domain1.com configured: kerberos-member server-software: ipa client-software: sssd required-package: ipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins addomain2.com type: kerberos realm-name: addomain2.com domain-name: addomain2.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins
Does I have any sense for you? Did I miss something in my configuration? Is there any way to tell NSS what domain should use in SSSD configuration?
Thanks a lot for your help.
Regards, david
Am Mon, May 01, 2023 at 11:16:00AM -0000 schrieb David Serrano Amarelle:
First, I would like to appreciate all the help you could provide me. I have an issue with sssd and nss that I don't still understand quite well...
The point is that I have configured some servers with 2 active domains. The first domain is a freeipa managed environment and the second one is an AD domain.
But I recently noticed that if I try to obtain the uids and gids for several users, the groupnames have the right gid, but groupnames are wrong. I mean, what I detected is even all gids an uids retrieved by the id command are right, the names of the groups shown, sometimes are from the other domain. I think it always retrieve the name of the group of the first domain (domain1.com) if the gid exists there, but if don't, it will look for it in the sencond domain (addomain2.com). It seems this is a problem with the NSS, not exactly with the SSSD, event they are very linked. So, please, If this is not the better place to ask for this, I will appreciate help to look for help in another forum.
For instance:
[root@lab6 ~]# id user1 uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
where:
- user1 is an user from the AD domain (addomain2.com)
- gis are perfectly obtained
- group1, group2 and group3 are from the AD domain (addomain2.com)
- group5 and group6 are groups OR USERS form the FREEIPA domain (domain1.com)
I could understand that it is normal that it happens if I use the sortname way "id user1", but I think that not should happen with the long-user way: "ia user1@addomain2.com". I mean, this also happens if I do:
[root@lab6 ~]# id user1@addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
Hi,
if I understand it correctly there are groups in AD with GIDs 102242 and 100327 and there are objects (users or groups) in IPA with are using the same number as UID/GID.
This setup, collisions of GIDs, is not recommended and will cause the issue you see. The reason is that the commands which return the groups the user is a member of always only return the GIDs of the groups and since the GIDs have no domain components the first group found with the GID will be returned (since IPA uses autogenerated user private groups it looks like IPA users are returned as well).
HTH
bye, Sumit
This is my sssd.conf:
[root@lab6 ~]# cat /etc/sssd/sssd.conf [domain/domain1.com] id_provider = ipa ipa_server = _srv_, freeipa01.domain1.com ipa_domain = domain1.com ipa_hostname = lab6.domain1.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
[domain/addomain2.com] ad_domain = addomain2.com krb5_realm = addomain2.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad krb5_keytab = /etc/krb5.keytab.ad ldap_krb5_keytab = /etc/krb5.keytab.ad ldap_id_mapping = false ad_enabled_domains = addomain2.com ad_gpo_access_control = disabled dyndns_update = false dns_resolver_timeout = 10 dns_resolver_op_timeout = 10 krb5_auth_timeout = 30 timeout = 30
[sssd] services = nss, pam, ssh, sudo domains = domain1.com,addomain2.com
[nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
[root@lab6 ~]# realm list domain1.com type: kerberos realm-name: domain1.com domain-name: domain1.com configured: kerberos-member server-software: ipa client-software: sssd required-package: ipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins addomain2.com type: kerberos realm-name: addomain2.com domain-name: addomain2.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins
Does I have any sense for you? Did I miss something in my configuration? Is there any way to tell NSS what domain should use in SSSD configuration?
Thanks a lot for your help.
Regards, david _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit,
Thanks a lot for your help.
About:
if I understand it correctly there are groups in AD with GIDs 102242 and 100327 and there are objects (users or groups) in IPA with are using the same number as UID/GID.
It's the other way around, but exactly as you said: there are users (or groups) in freeipa with uid (or gid) 102242 and 100327.
[root@lab6 ~]# id user1(a)addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
Based on your answer, I am going to create a new id range for new users ir order to avoid this collision in the future. But, obviously, I have a problem with the current uids/gids...
Just one last question, if you could. As far as I know Linux works with uids/gids all the time, do you think this issue with current collisions could cause any real problem? I mean, this is an aesthetic issue or do I have a real mess with permissions?
Thanks again david
Am Tue, May 02, 2023 at 06:47:21AM -0000 schrieb David Serrano Amarelle:
Hi Sumit,
Thanks a lot for your help.
About:
if I understand it correctly there are groups in AD with GIDs 102242 and 100327 and there are objects (users or groups) in IPA with are using the same number as UID/GID.
It's the other way around, but exactly as you said: there are users (or groups) in freeipa with uid (or gid) 102242 and 100327.
[root@lab6 ~]# id user1(a)addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
Based on your answer, I am going to create a new id range for new users ir order to avoid this collision in the future. But, obviously, I have a problem with the current uids/gids...
Just one last question, if you could. As far as I know Linux works with uids/gids all the time, do you think this issue with current collisions could cause any real problem? I mean, this is an aesthetic issue or do I have a real mess with permissions?
Hi,
you are right, the operating system only cares about the numerical UID and GID values, i.e. two groups with the same GID are the same. This means e.g. with respect to file-system permissions, if you want to have a file which should be only accessible for members of the AD group with the GID 102242 this would not be possible because members of the IPA group with GID 102242 can access this file as well.
bye, Sumit
Thanks again david _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
Understood, I am going to try to migrate the UID/GID of the freeipa users, so.
Thanks a lot Sumit. david
sssd-users@lists.fedorahosted.org