Jakub,
You said:
> Here are the logs for a specific account failing to look up all groups
with ldap_use_tokengroups = True.
>
> Logs are at this URL:
>
https://www.dropbox.com/sh/l37pj104qkrqxfa/AACuKgaQjWZ4MVr1NdEogbcMa?dl=0
>
> I have included the realmd.conf, sssd.conf and krb5.conf as well.
On Mon, Jul 23, 2018 at 12:05:49PM -0400, Mario Rossi wrote:
>
> I am seeing similar issues on CentOS 7, where groups, including primary
> group, cannot be looked up. This is really bad when other services depend on
> group lookups, for example sshd match group statements for enabling
>
Perhaps this is a caching issue? I do have several domains configured,
and each domain has development-wholesale name with different GID. Is
the domains cache configured/hased based on the group name ?
Thanks
On 07/23/2018 12:05 PM, Mario Rossi wrote:
I am seeing similar issues on CentOS
I am seeing similar issues on CentOS 7, where groups, including primary
group, cannot be looked up. This is really bad when other services
depend on group lookups, for example sshd match group statements for
enabling tcpforwarding which otherwise is disable globally, iptables
group lookups (
> On 22 Jul 2018, at 20:49, Spike White wrote:
>
> I can't replicate that "duplicate domains" situation any more. (I thought
> I'd saved that sssd.conf file, but it doesn't exhibit the same behaviour).
>
> Here are the logs for a specific account failing to look up all groups with
>
I can't replicate that "duplicate domains" situation any more. (I thought
I'd saved that sssd.conf file, but it doesn't exhibit the same behaviour).
Here are the logs for a specific account failing to look up all groups with
ldap_use_tokengroups = True.
Logs are at this URL:
> On 13 Jul 2018, at 17:40, Spike White wrote:
>
> Jakub,
>
> Thank you to answering so promptly.
>
> We are currently testing this in a lab before full deployment, so I have some
> degree of time before we deploy sssd in a bigger context. If you would
> prefer for me to work with you
On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
> All,
>
> Below is a writeup of missing AD groups for accounts when using
> tokengroups. When not using tokengroups, sssd is rock solid.
>
> Yes, most of the missing AD groups are universal or global groups -- but
> not all! For