I'm trying to integrate SUSE Linux (version 11 Patch level 2) with Microsoft Active Directory(AD) using the SSSD version 1.9.4 for making AD groups available to the Linux OS subsystem (SSSD is not used for authentication)
I've added the "sss" as a source for "passwd", "group", "shadow" within the "/etc/nsswitch.conf" file. I'm seeing SSSD return inconsistent results while fetching the User/Group information through "id" / "getent" commands. It appears that we are facing this inconsistency only while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller. Please find the response/output from Linux host (terminal) as below: 1) For Windows Server 2008 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX),2024985,2356240,2358411,2100126,2115932,2099 968,2337579,1743308,1463380,2100236,1881724,1707456 As can be seen above, certain GIDs are displayed though these are not relevant to the user. When I query the same user again in the same session, I get the correct results without the additional GIDs. The problem re-appears when the cache has been cleared and the command is re-run. 2) For Windows Server 2003 R2 based Domain Controller controller@indelappvm02:~> id user_hadoop_3001 uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX) The results are always accurate. Would appreciate your inputs in helping solve this problem in case you have encountered this in your environment. SSSD config is attached. Regards, Prajwal
[sssd] debug_level = 5 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 10 services = nss,pam domains = mytest [nss] debug_level = 5 filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] debug_level = 0 reconnection_retries = 3 offline_credentials_expiration = 0 offline_failed_login_attempts = 0 offline_failed_login_delay = 5 [domain/local] id_provider = local min_id = 1 max_id = 499 enumerate = False [domain/mytest] debug_level = 9 description = Kerberos 5 domain with Active Directory servers id_provider = ldap auth_provider = krb5 access_provider = ldap min_id = 500 enumerate = False timeout = 10 cache_credentials = True entry_cache_timeout = 300 krb5_canonicalize = False # General ----------------------- # LDAP ldap_uri = ldap://inddelvm25.mytest.com ldap_default_authtok_type = password ldap_default_bind_dn = [email protected] ldap_default_authtok = ******* ldap_id_mapping = True ldap_user_objectsid = objectSid ldap_idmap_range_min = 100000 ldap_idmap_range_max = 2000100000 ldap_idmap_range_size = 2000000000 ldap_access_filter = (cn=*) ldap_user_search_base = DC=mytest,DC=com ldap_group_search_base = DC=mytest,DC=com?subtree?(|(CN=Mygroups-hadoop-*)(CN=Domain Users)) ldap_referrals = False ldap_search_timeout = 20 ldap_network_timeout = 20 # KRB5 chpass_provider = krb5 ldap_force_upper_case_realm = True krb5_server = inddelvm25.mytest.com krb5_realm = mytest.com krb5_store_password_if_offline = True krb5_auth_timeout = 15 # Mapping -------------------- ldap_schema = ad ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_group_name = sAMAccountName ldap_id_use_start_tls = False krb5_kdcip = inddelvm25.mytest.com
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
