-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/22/2013 12:13 PM, ted.r...@faa.gov wrote: > > Hi! > > We have been working this problem for two weeks debugging. We have > 389-ds running and multi-master with 3 RHEL6 servers and a RHEL5. > The RHEL5 ldap clients authenticate correctly to the RHEL6 389-ds > directory server and with 'id' command can see all groups a user > belongs too. > The same command in a RHEL6 ldap client using sssd shows ONLY the > primary group. If we change the ldap clients to point at the RHEL5 > 389-ds directory server the same results occur. The one consistency > is any RHEL6 ldap client we setup will authenticate to either RHEL5 > or RHEL6 but the entire list of groups that user belongs to do not > transfer independent of server version. We have enumerate set to > true and we have ldap_group_member set to uniqueMember. These seems > to point to the ldap client as RHEL5 client works just fine and > both RHEL5 and RHEL6 389-ds servers react the same but we're not > sure how to correct or is it a bug. HELP? > > > > We had this posted in 389-users but were referred to the sssd list. > id of a user(id JSmith) only returns the primary group, not a > complete list of the groups that user belongs too. The getent > group MyGroup lists the subgroups by names but not the members. On > a RHEL5 ldap client the same entries provide a complete list of > groups the user belongs to when entering id JSmith. The getent > group MyGroup also burrows down through subgroups to list all users > that belong to that group either directly or because a group they > belong to belongs to the group MyGroup. Any ideas? The problem > seems to be with RHEL 6 ldap client and some settings in sssd but > not sure where to go from here. >
I suspect that things will work properly if you set ldap_schema = rfc2307bis in the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf and run 'service sssd restart' For other things to try, check out https://fedorahosted.org/sssd/wiki/FAQ#CommonIssues If none of those suggestions work, please follow the tips on https://fedorahosted.org/sssd/wiki/Troubleshooting for reporting an issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJmr28ACgkQeiVVYja6o6MBZACfSx0xOGGbxlRjnC0nIziJOqwv LPkAnA22V4M7fjGCm6VE2NZeaZS8Djab =z4wN -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users