On Fri, Jul 06, 2018 at 01:41:38PM +0000, Ratliff, John wrote: > > > On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote: > > On Thu, Jul 05, 2018 at 08:09:55PM +0000, Ratliff, John wrote: > > > > > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server] > > (0x2000): Searching 134.68.239.131:389 > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [no filter][CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = > > 15 > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_add] > > (0x2000): New operation 15 timeout 6 > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d62f090], > > connected[1], ops[(nil)], ldap[0x564b5d62d1e0] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_result] (0x2000): Trace: end of ldap_result list > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_message] (0x4000): Message type: > > [LDAP_RES_SEARCH_ENTRY] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] > > (0x1000): OriginalDN: [CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] > > (0x1000): Entry has no attributes [0(Success)]!? > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_process_message] (0x4000): Message type: > > [LDAP_RES_SEARCH_RESULT] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), > > no errmsg set > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_op_destructor] (0x2000): Operation 15 finished > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > [sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for [ > > jdrat...@ads.iu.edu] > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [ldb] (0x4000): > > start ldb transaction (nesting: 0) > > > > this makes SSSD assume that the user is not a member of any group. > > > > Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for > > details) and check if the group memberships are reported more > > reliable. > > > > Afaik the issue with the tokenGroups might indicate that the used AD > > DC > > has issues reaching a Global Catalog server. > > Thank you for the information. I don't know what to do about it at the > moment. Adding that parameter makes id freeze when I run it. It seems > to be unable to handle it when this parameter exists.
If the group membership is very deep and complex, running id might take a very long time because without using tokenGroups, the group hierarchy must be traversed from the user "up". Looking at the debug logs might give a clue about what the sssd is doing. > > I'm unclear what you mean by AD DC has issues reaching the global > catalog server. Do you mean my sever is having trouble, or the DC > itself? > > One more thing I found interesting. I made another RHEL7 box and used > winbind instead of sssd and group membership works fine there. > > I made another virtual machine and tried realmd/sssd again. I took it > off the virtual machine NAT and gave it a public IP and disabled the > firewall to make sure that wasn't causing any issues, but there was no > change. > > This still feel like an sssd configuration problem to me, though I'm > not sure what to do about it at the moment. > > Thanks for your assitance. > > -- > John Ratliff > Research Storage / UITS / Pervasive Technology Institute > Indiana University | https://pti.iu.edu > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/2FPUT7PHHJAYYKS57PUXPOG57OIJMGGW/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/IJQRATBXMWV7E27RUJ5ESO3D53BTKPP6/