All,
Below is a writeup of missing AD groups for accounts when using
tokengroups. When not using tokengroups, sssd is rock solid.
Yes, most of the missing AD groups are universal or global groups -- but
not all! For some accounts, even domain-local AD groups are missed from
their group memberships. (when using tokengroups).
*Missing group memberships with sssd (when using tokengroups):*
July, 2018.
Cross-subdomain AD authentication partially working. (fully working with
ldap_use_tokengroups = False)
When set ldap_use_tokengroups = True, some AD groups for some accounts
missing. Full details below.
Test server is in AMER.DELL.COM
*Accounts and their missing AD group memberships (when ldap_use_tokengroups
= True)*
*AdmJesse_Chan *(account resides in APAC.DELL.COM)
tokengroups-enabled SSSD reports membership in:
uid=525641(admjesse_chan) gid=525641(admjesse_chan)
groups=525641(admjesse_chan),1008(apacunixusers),1000(apaclinuxeng),1001(apaclinuxsup)
vas-enabled Linux server reports membership in:
uid=525641(admjesse_chan) gid=525641(admjesse_chan)
groups=525641(admjesse_chan),1000(apaclinuxeng),1001(apaclinuxsup),1008(apacunixusers),
1041(linux-core-engineering),1069(users)
diff is:
1041(linux-core-engineering),1069(users)
Both are AMER-only "local domain" groups.
linux-core-engineering is a AMER-only "domain local" group with GID
1041.
And actually, admjesse_chan is a member of 'users', but that's an
APAC.DELL.COM domain AD group (that's not unix-enabled).
VAS is (mistakenly) reporting Jesse as a member of the AMER.DELL.COM
'users' group, which has a GID of 1069.
*AdmPaulBowen *(account resides in EMEA.DELL.COM)
tokengroups-enabled SSSD reports membership in:
uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen)
groups=2103156(admpaul_bowen),1009(emeaunixusers)
vas-enabled Linux server reports membership in:
uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen)
groups=2103156(admpaul_bowen),1153(emea_server_mgmt),1005(emealinuxsup)
,1009(emeaunixusers)
diff is:
1153(emea_server_mgmt),1005(emealinuxsup),
EMEA_SERVER_MGMT is a universal AD group. with GID 1153.
EMEALINUXSUP is a universal AD group. with GID 1005.
EMEAUNIXUSERS is a global AD group. with GID 1009.
*AdmDennis_Kennedy* (account resides in EMEA.DELL.COM)
tokengroups-enabled SSSD:
uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy)
groups=2890335(admdennis_kennedy),1009(emeaunixusers)
vas:
uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy)
groups=2890335(admdennis_kennedy),1153(emea_server_mgmt),1004(emealinuxeng),
1009(emeaunixusers),1041(linux-core-engineering)
diff:
1153(emea_server_mgmt),1004(emealinuxeng),1041(linux-core-engineering)
EMEA_SERVER_MGMT is a universal AD group. with GID 1153.
EMEALINUXENG is a universal AD group. with GID 1003.
linux-core-engineering is a AMER-only "domain local" group with GID 1041.
*AdmSpike_White* (account resides in AMER.DELL.COM)
tokengroups-enabled SSSD:
uid=2025431(admspike_white) gid=2025431(admspike_white)
groups=2025431(admspike_white),1002(amerlinuxeng)
vas:
uid=2025431(admspike_white) gid=2025431(admspike_white)
groups=2025431(admspike_white),1002(amerlinuxeng),
1041(linux-core-engineering),1069(users)
diff:
1041(linux-core-engineering),1069(users)
linux-core-engineering is a AMER-only "domain local" group with GID 1041.
users is an AMER-only "builtin local" group with GID 1069.
*AdmCesar_Guillen* (account found in AMER.DELL.COM)
NOTE: AdmCesar_Guillen is found in AMERICAS.
tokengroups-enabled SSSD:
uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen)
groups=2669411(admcesar_guillen),1010(amerunixusers)
vas:
uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen)
groups=2669411(admcesar_guillen),1033(amer_server_mgmt),1002(amerlinuxeng)
,1010(amerunixusers),2284031(esg_bios_code_rw)
diff:
1033(amer_server_mgmt),1002(amerlinuxeng),2284031(esg_bios_code_rw)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
not reporting this?!?
amerlinuxeng is a universal AD group with GID 1002. <---------- why is
sssd not reporting this?!? It's reported for AdmSpike_White, but not for
AdmPatrick_Wheeler or AdmCesar_Guillen.
esg_bios_code_rw is a universal AD group with GID 2284031. <---------- why
is sssd not reporting this?!?
*Admpatrick_wheeler* (account resides in AMER.DELL.COM)
tokengroups-enabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1010(amerunixusers)
tokengroups-disabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
vas:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),
1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
diff is:
1033(amer_server_mgmt)
1003(amerlinuxsup)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
not reporting this?!?
amerlinuxsup is an AMER universal group with GID 1003.
Here is my /etc/sssd/sssd.conf file:
[nss]
debug_level = 9
filter_groups = root
filter_users = root
#entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[sssd]
debug_level = 6
#domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com
domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
# Unnecessary. If missing, will search in order specified in "domains"
lines above.
#domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
japn.dell.com, dell.com
config_file_version = 2
services = nss,pam
reconnection_retries = 3
#ldap_user_member_of = member
[pam]
pam_verbosity = 3
debug_level = 9
[domain/amer.dell.com]
debug_level = 9
id_provider = ad
access_provider = simple
#access_provider = ad
auth_provider = ad
ad_domain = amer.dell.com
krb5_realm = AMER.DELL.COM
default_shell = /bin/bash
#use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid = spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com,
japn.dell.com,dell.com
dyndns_update = False
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = amerlinux...@amer.dell.com, amerlinux...@amer.dell.com,
emealinux...@emea.dell.com, AMER.DELL.COM, emealinux...@emea.dell.com,
apaclinux...@emea.dell.com, apaclinux...@emea.dell.com
# also look at
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html
[domain/apac.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = apac.dell.com
krb5_realm = APAC.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid = spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = apaclinux...@apac.dell.com, apaclinux...@apac.dell.com
[domain/emea.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = emea.dell.com
krb5_realm = EMEA.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid = spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = emealinux...@emea.dell.com, emealinux...@emea.dell.com
[domain/japn.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = japn.dell.com
krb5_realm = JAPN.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid = spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = japnlinux...@japn.dell.com, japnlinux...@japn.dell.com
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/
