All, Below is a writeup of missing AD groups for accounts when using tokengroups. When not using tokengroups, sssd is rock solid.
Yes, most of the missing AD groups are universal or global groups -- but not all! For some accounts, even domain-local AD groups are missed from their group memberships. (when using tokengroups). *Missing group memberships with sssd (when using tokengroups):* July, 2018. Cross-subdomain AD authentication partially working. (fully working with ldap_use_tokengroups = False) When set ldap_use_tokengroups = True, some AD groups for some accounts missing. Full details below. Test server is in AMER.DELL.COM *Accounts and their missing AD group memberships (when ldap_use_tokengroups = True)* *AdmJesse_Chan *(account resides in APAC.DELL.COM) tokengroups-enabled SSSD reports membership in: uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1008(apacunixusers),1000(apaclinuxeng),1001(apaclinuxsup) vas-enabled Linux server reports membership in: uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1000(apaclinuxeng),1001(apaclinuxsup),1008(apacunixusers), 1041(linux-core-engineering),1069(users) diff is: 1041(linux-core-engineering),1069(users) Both are AMER-only "local domain" groups. linux-core-engineering is a AMER-only "domain local" group with GID 1041. And actually, admjesse_chan is a member of 'users', but that's an APAC.DELL.COM domain AD group (that's not unix-enabled). VAS is (mistakenly) reporting Jesse as a member of the AMER.DELL.COM 'users' group, which has a GID of 1069. *AdmPaulBowen *(account resides in EMEA.DELL.COM) tokengroups-enabled SSSD reports membership in: uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1009(emeaunixusers) vas-enabled Linux server reports membership in: uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1153(emea_server_mgmt),1005(emealinuxsup) ,1009(emeaunixusers) diff is: 1153(emea_server_mgmt),1005(emealinuxsup), EMEA_SERVER_MGMT is a universal AD group. with GID 1153. EMEALINUXSUP is a universal AD group. with GID 1005. EMEAUNIXUSERS is a global AD group. with GID 1009. *AdmDennis_Kennedy* (account resides in EMEA.DELL.COM) tokengroups-enabled SSSD: uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1009(emeaunixusers) vas: uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1153(emea_server_mgmt),1004(emealinuxeng), 1009(emeaunixusers),1041(linux-core-engineering) diff: 1153(emea_server_mgmt),1004(emealinuxeng),1041(linux-core-engineering) EMEA_SERVER_MGMT is a universal AD group. with GID 1153. EMEALINUXENG is a universal AD group. with GID 1003. linux-core-engineering is a AMER-only "domain local" group with GID 1041. *AdmSpike_White* (account resides in AMER.DELL.COM) tokengroups-enabled SSSD: uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng) vas: uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng), 1041(linux-core-engineering),1069(users) diff: 1041(linux-core-engineering),1069(users) linux-core-engineering is a AMER-only "domain local" group with GID 1041. users is an AMER-only "builtin local" group with GID 1069. *AdmCesar_Guillen* (account found in AMER.DELL.COM) NOTE: AdmCesar_Guillen is found in AMERICAS. tokengroups-enabled SSSD: uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1010(amerunixusers) vas: uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1033(amer_server_mgmt),1002(amerlinuxeng) ,1010(amerunixusers),2284031(esg_bios_code_rw) diff: 1033(amer_server_mgmt),1002(amerlinuxeng),2284031(esg_bios_code_rw) amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd not reporting this?!? amerlinuxeng is a universal AD group with GID 1002. <---------- why is sssd not reporting this?!? It's reported for AdmSpike_White, but not for AdmPatrick_Wheeler or AdmCesar_Guillen. esg_bios_code_rw is a universal AD group with GID 2284031. <---------- why is sssd not reporting this?!? *Admpatrick_wheeler* (account resides in AMER.DELL.COM) tokengroups-enabled SSSD: uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1010(amerunixusers) tokengroups-disabled SSSD: uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport) vas: uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler), 1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers) diff is: 1033(amer_server_mgmt) 1003(amerlinuxsup) amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd not reporting this?!? amerlinuxsup is an AMER universal group with GID 1003. Here is my /etc/sssd/sssd.conf file: [nss] debug_level = 9 filter_groups = root filter_users = root #entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [sssd] debug_level = 6 #domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com # Unnecessary. If missing, will search in order specified in "domains" lines above. #domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com, japn.dell.com, dell.com config_file_version = 2 services = nss,pam reconnection_retries = 3 #ldap_user_member_of = member [pam] pam_verbosity = 3 debug_level = 9 [domain/amer.dell.com] debug_level = 9 id_provider = ad access_provider = simple #access_provider = ad auth_provider = ad ad_domain = amer.dell.com krb5_realm = AMER.DELL.COM default_shell = /bin/bash #use_fully_qualified_names = False ldap_id_mapping = False subdomains_provider = none auto_private_groups = True realmd_tags = joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True fallback_homedir = /home/%u ldap_schema = rfc2307bis ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM #ldap_sasl_authid = spikerealm...@amer.dell.com #TEST REMOVAL. July 4 2018. SW #ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com, japn.dell.com,dell.com dyndns_update = False # TEST -- commented out July 4 to not use tokengroups. ldap_use_tokengroups = False simple_allow_groups = amerlinux...@amer.dell.com, amerlinux...@amer.dell.com, emealinux...@emea.dell.com, AMER.DELL.COM, emealinux...@emea.dell.com, apaclinux...@emea.dell.com, apaclinux...@emea.dell.com # also look at https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html [domain/apac.dell.com] debug_level = 9 auto_private_groups = True #use_fully_qualified_names = False ad_domain = apac.dell.com krb5_realm = APAC.DELL.COM cache_credentials = True id_provider = ad auth_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%u access_provider = simple ldap_schema = rfc2307bis ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM #ldap_sasl_authid = spikerealm...@amer.dell.com #TEST REMOVAL. July 4 2018. SW #ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com, japn.dell.com, dell.com dyndns_update = False subdomains_provider = none # TEST -- commented out July 4 to not use tokengroups. ldap_use_tokengroups = False simple_allow_groups = apaclinux...@apac.dell.com, apaclinux...@apac.dell.com [domain/emea.dell.com] debug_level = 9 auto_private_groups = True #use_fully_qualified_names = False ad_domain = emea.dell.com krb5_realm = EMEA.DELL.COM cache_credentials = True id_provider = ad auth_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%u access_provider = simple ldap_schema = rfc2307bis ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM #ldap_sasl_authid = spikerealm...@amer.dell.com #TEST REMOVAL. July 4 2018. SW #ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com, japn.dell.com, dell.com dyndns_update = False subdomains_provider = none # TEST -- commented out July 4 to not use tokengroups. ldap_use_tokengroups = False simple_allow_groups = emealinux...@emea.dell.com, emealinux...@emea.dell.com [domain/japn.dell.com] debug_level = 9 auto_private_groups = True #use_fully_qualified_names = False ad_domain = japn.dell.com krb5_realm = JAPN.DELL.COM cache_credentials = True id_provider = ad auth_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%u access_provider = simple ldap_schema = rfc2307bis ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM #ldap_sasl_authid = spikerealm...@amer.dell.com #TEST REMOVAL. July 4 2018. SW #ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com, japn.dell.com, dell.com dyndns_update = False subdomains_provider = none # TEST -- commented out July 4 to not use tokengroups. ldap_use_tokengroups = False simple_allow_groups = japnlinux...@japn.dell.com, japnlinux...@japn.dell.com
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/