Package: sssd Version: 1.8.4-2 Severity: important Dear Maintainer,
We have a working setup with sssd and ldap-krb5 domain working (A kind of SSO). Sssd gets users, groups and sudo via kerberos from ldap. The setup is working just fine on centos and debian8, but not on debian wheezy. What is expected: user from ldap is able to login via ssh to a debian 7 machine, after this, he's able to use sudo if he is allowed to (via ldap or locally) What happens: the user logins to the machine, he's allowed to 'sudo -s' in ldap, but he it's able to do that. Here is what the sssd-log says: (Tue Nov 17 13:31:09 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0040): User [root] does not exist in [RNET.RU]! (negative cache) (Tue Nov 17 13:31:09 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0040): No matching domain found for [root], fail! Here is the nsswitch.conf: passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: sss files And here is the sssd config file: [domain/RNET.RU] autofs_provider = ldap cache_credentials = false ldap_search_base = dc=rnet,dc=ru krb5_realm = RNET.RU krb5_server = kdc1.rnet.ru id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldaps://kdc1.rnet.ru, ldaps://kdc2.rnet.ru krb5_kpasswd = kdc1.rnet.ru ldap_id_use_start_tls = true krb5_renew_interval=10s ldap_sasl_mech = GSSAPI ldap_tls_cacert = /etc/ssl/rnet.ru/STAR_rnet_ru.ca-bundle access_provider = simple [sssd] config_file_version = 2 services = nss, pam, sudo domains = RNET.RU [nss] filter_users = root filter_groups = root [pam] [sudo] sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=rnet,dc=ru Just the same configuration works everywhere else, but not on debian 7. Both x86_64 and 32-bit are affected. Thank you in advance for any help you can provide Best regards, Petr Zaytsev -- System Information: Debian Release: 7.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sssd depends on: ii libc-ares2 1.9.1-3 ii libc6 2.13-38+deb7u8 ii libcollection2 0.1.3-2 ii libcomerr2 1.42.5-1.1+deb7u1 ii libdbus-1-3 1.6.8-1+deb7u6 ii libdhash1 0.1.3-2 ii libini-config2 0.1.3-2 ii libipa-hbac0 1.8.4-2 ii libk5crypto3 1.10.1+dfsg-5+deb7u4 ii libkeyutils1 1.5.5-3+deb7u1 ii libkrb5-3 1.10.1+dfsg-5+deb7u4 ii libldap-2.4-2 2.4.31-2+deb7u1 ii libldb1 1:1.1.6-1 ii libnl1 1.1-7 ii libnspr4 2:4.9.2-1+deb7u2 ii libnss3 2:3.14.5-1+deb7u5 ii libpam0g 1.1.3-7.1 ii libpcre3 1:8.30-5 ii libpopt0 1.16-7 ii libtalloc2 2.0.7+git20120207-1 ii libtdb1 1.2.10-2 ii libtevent0 0.9.16-1 ii libunistring0 0.9.3-5 ii multiarch-support 2.13-38+deb7u8 ii python 2.7.3-4+deb7u1 ii python-sss 1.8.4-2 Versions of packages sssd recommends: ii bind9-host 1:9.8.4.dfsg.P1-6+nmu2+deb7u7 ii ldap-utils 2.4.31-2+deb7u1 ii libnss-sss 1.8.4-2 ii libpam-sss 1.8.4-2 ii libsasl2-modules-gssapi-mit 2.1.25.dfsg1-6+deb7u1 ii libsasl2-modules-ldap 2.1.25.dfsg1-6+deb7u1 Versions of packages sssd suggests: pn apparmor <none> pn sssd-tools <none> -- no debconf information