Hi All,
I'm relatively new to SSSD, and this has me stumped. I'm trying to override the default GID for all the users on a OEL 7 system. I set override_gid = 100 in sssd.conf, but as far as i can tell nothing's happening. Looking into the sssd cache, I see:
dn: name=riceboy@ad3.ucdavis.edu,cn=users,cn=ad3.ucdavis.edu,cn=sysdb createTimestamp: 1536876547 fullName: riceboy gecos: riceboy gidNumber: 846575921 name: riceboy@ad3.ucdavis.edu objectCategory: user uidNumber: 190295
When I set auto_private_groups = true, the GID does change:
dn: name=riceboy@ad3.ucdavis.edu,cn=users,cn=ad3.ucdavis.edu,cn=sysdb createTimestamp: 1536877117 fullName: riceboy gecos: riceboy gidNumber: 190295 name: riceboy@ad3.ucdavis.edu objectCategory: user uidNumber: 190295
Another data point (not sure if this is related), when I try and override the GID on an existing group, the name will change, but the GID will not. (original GID of "Domain Users" is 846575921) [root@tcsnd2 ~]# sss_override group-add "Domain Users@ad3.ucdavis.edu" -n NewName -g 1234567 SSSD needs to be restarted for the changes to take effect. [root@tcsnd2 ~]# systemctl restart sssd [root@tcsnd2 ~]# id riceboy@ad3.ucdavis.edu uid=190295(riceboy) gid=846575921(newname) groups=846575921(newname),1170(status),1061419070(ism-us-systems),1061419998(iet-us-banner),1061419025(ism-us-status),1061419997(iet-us-edrs),1061419993(iet-us- rbds),1061419045(ism-us-ism),1234567(newname),1061419999(iet-us-ansible),1061419046(ism-us-isun-susers),1061419058(ism-us-netbackup),1061419074(ism-us-zenoss)
I'm sure there's something simple I'm missing, any ideas?
My sssd.conf file
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 2
[pam] reconnection_retries = 3 debug_level = 2
[sssd] domains = ou.ad3.ucdavis.edu config_file_version = 2 services = nss, pam, ifp debug_level = 2
default_domain_suffix = AD3.UCDAVIS.EDU
[domain/ou.ad3.ucdavis.edu] ad_domain = ou.ad3.ucdavis.edu krb5_realm = OU.AD3.UCDAVIS.EDU krb5_auth_timeout = 30 debug_level = 4 override_gid = 100
cache_credentials = True
id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad #ad_access_filter = (memberOf=CN=IET-US-Unit-PS,OU=US-byOrg,OU=Groups,OU=IET-New,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu)
use_fully_qualified_names = True
;;; Must be false for UNIX UIDs to be retrieved from AD3 ldap_id_mapping = false ldap_schema = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash override_homedir = /home/%u fallback_homedir = /tmp/ override_shell = /bin/ksh #auto_private_groups = true
access_provider = simple simple_allow_groups = ISM-US-ISM@ou.ad3.ucdavis.edu, IET-US-BANNER@ou.ad3.ucdavis.edu
ignore_group_members = TRUE ldap_use_tokengroups = True ldap_group_nesting_level = 0 ldap_groups_use_matching_rule_in_chain = True ldap_initgroups_use_matching_rule_in_chain = True full_name_format = %1$s dyndns_update = false ~
Kevin Murakoshi IET Enterprise Student Applications
ksmurakoshi@ucdavis.edu
(530) 752-0318 (office) (530) 219-8188 (cell)
sssd-users@lists.fedorahosted.org
-
Kevin Murakoshi