I have sssd (1.12.2 on archlinux, 1.11.5 on ubuntu 14.04, 1.11.7 on
ubuntu 14.10, i386) configured against samba4 (4.1.11, ubuntu 14.04,
amd64) using AD provider:
[sssd]
config_file_version = 2
reconnection_retries = 2
services = nss, pam
domains =
DOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 2
[pam]
reconnection_retries = 2
[
domain/DOMAIN.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
ldap_user_gecos = displayName
ldap_tls_reqcert = allow
ldap_sasl_mech = gssapi
ldap_sasl_authid = nix$(a)DOMAIN.COM
krb5_use_enterprise_principal = false
krb5_keytab = /etc/sssd/sssd.keytab
ldap_id_mapping = false
dyndns_update = false
cache_credentials = true
enumerate = false
min_id = 1
I have sudo and sshd configured to use groups:
# grep group1 /etc/ssh/sshd_config
AllowGroups root group1
# grep group1 /etc/sudoers
%group1 ALL=(ALL) ALL
User 'user4' is a member of several domain posix not nested groups,
including 'group1'. No local group membership.
After starting sssd (with empty /var/lib/sss). Authentication and local
logon works fine. 'getent group' shows correct group members:
# getent group group1
group1:*:1013:user1,user2,user3,user4,user5
... but 'id' shows primary group only:
# id user4
uid=1104(user4) gid=513(domain users) groups=513(domain users)
Now, trying to use sudo (local):
$ sudo -s
[sudo] password for user4:
user4 is not in the sudoers file. This incident will be reported.
... or login remotely via ssh (sshd log message):
User user4 from
host.domain.com not allowed because none of user's
groups are listed in AllowGroups
After this, 'id' output stays the same:
# id user4
uid=1104(user4) gid=513(domain users) groups=513(domain users)
But 'user4' dissapears from 'getent group' output:
# getent group group1
group1:*:1013:user1,user2,user3,user5
Restarting sssd doesn't fix the issue. User appears in group list again
only after removing 'db/cache_DOMAIN.COM.ldb' file and restarting sssd.
But disappears again after the same actions (ssh/sudo). Next options
doesn't help too:
ldap_id_mapping = true
enumerate = true
winbind 4.1 works absolutely fine against the same AD server. So, I
think the problem is about sssd...
Summary:
* sssd group membership ACL checks don't work. User disappears from
'getent group' output after such check.
* 'id' shows primary group only
Should I file a bug report?
Thanks!
--
Best regards,
Sergey Urushkin