> On 13 Jul 2018, at 17:40, Spike White <spikewhit...@gmail.com> wrote:
> 
> Jakub,
> 
> Thank you to answering so promptly.  
> 
> We are currently testing this in a lab before full deployment, so I have some 
> degree of time before we deploy sssd in a bigger context.  If you would 
> prefer for me to work with you directly off-line, please advise.  As an 
> example, the attached sssd_amer.dell.com.log file was originally 40 MB.  (I 
> presume because of debugging level).  Out of respect for others on the 
> mailing list, I severely trimmed the log file to only the lines of interest 
> (I hope).  But it's entirely possible I may have over-trimmed.
> 

I’m afraid so, because the logs say:

(Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [tokenGroups]
….

and I’m really interested in this part :-)

(Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]] 
[sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for 
[admpatrick_whee...@amer.dell.com]
...
(Fri Jul 13 09:25:48 2018) [sssd[be[amer.dell.com]]] 
[sdap_asq_search_parse_entry] (0x2000): Matched objectclass [user] on DN 
[CN=AdmPatrick_Wheeler,OU=AdmAccounts,DC=amer,DC=dell,DC=com], will use 
associated map


> You asked:
>     Can you send logs for a single lookup of "id username" with tokengroups 
> enabled? 
> 
> Attached are the logs.  sssd_amer.dell.com.log and sssd_nss.log, for this 
> lookup:
> 
>    [root@spikerealmd02 sssd]# id admpatrick_wheeler
>    uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) 
> groups=2604370(admpatrick_wheeler),1010(amerunixusers)
> 
> This is with ldap_use_tokengroups = True, so the above lookup is incorrect.
> 
> What it should show is:
>  id admpatrick_wheeler 
> uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) 
> groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
> 
> You asked:
>    Why do you disable the subdomains provider? Isn't it easier to just list
>    the domains you want to enable using the ad_enabled_domains option?
> 
>    btw this can actually cause issues because the subdomains provider is
>    needed to fetch the joined domain SID at least, among other things. 
> 
> When I ran with:
>       ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com, 
> japn.dell.com, dell.com
> 
> it broke cross-subdomain authentication.  that is, I could resolve accounts 
> from the local domain (AMER), but not from any other domain (like apac).  
> When I reviewed the logs, I saw the sssd_nss.log would do a dispatch to the 
> apac.dell.com child, but the dispatch would always fail.
> 
> In sssd_apac.dell.com.log -- the dispatch was never picked up.

Interesting, do you still have the logs around?

> 
> I also noticed that sssctl domain-list gave me this:
> amer.dell.com
> apac.dell.com
> emea.dell.com
> japn.dell.com
> dell.com
> amer.dell.com
> apac.dell.com
> emea.dell.com
> japn.dell.com

Including the duplicate domains? That sounds like a bug..

> 
> I suspect that sssd_nss was attempting to dispatch into this apac.dell.com 
> "ghost" domain and failing.  When I removed ad_enabled_domains (& commented 
> out dell.com as a domain), I noticed sssctl domain-list gave me the expected:
> 
> amer.dell.com
> apac.dell.com
> emea.dell.com
> japn.dell.com
> 
> And cross-subdomain authentication worked (modulo this tokengroups problem 
> where not all groups show up when tokengroups == True).
> 
> You stated:
> > ldap_schema = rfc2307bis
> 
> Please don't set ldap_schema to anything else than 'ad' (the default) with 
> id_provider=ad. 
> 
> Unfortunately, our erstwhile AD administrators when they extended our AD 
> schema years ago did not use an rfc2307 schema extension.  They used a 
> rfc2307bis schema extension instead.  
> 
> I had fits with even basic sssd AD integration until I realized this.  (I 
> thought I was going to have to manually set up ldap_filters for the few 
> quirky LDAP attributes associated with an account, but then I realized this 
> conformed 100% to rfc2307bis.) When I set ldap_schema to rfc2307bis, the 
> basic (same domain) authentication worked (without tokengroups).
> 

I meant something else. Internally in SSSD, ldap_schema=ad is a superset of 
rfc2307bis with some defaults tuned to be AD-specific. And the AD provider 
really does not expect the schema to be set to anything else, moreover there 
are some branches in the underlying LDAP provider (the AD provider is a wrapper 
around the LDAP provider more or less) that check if the schema is set to “ad” 
to follow some AD specific branch.

> Spike
> 
> On Tue, Jul 10, 2018 at 9:59 AM Jakub Hrozek <jhro...@redhat.com> wrote:
> On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
> > All,
> > 
> > Below is a writeup of missing AD groups for accounts when using
> > tokengroups.  When not using tokengroups, sssd is rock solid.
> > 
> > Yes, most of the missing AD groups are universal or global groups -- but
> > not all!  For some accounts, even domain-local AD groups are missed from
> > their group memberships.  (when using tokengroups).
> 
> [...]
> 
> > tokengroups-disabled SSSD:
> > 
> > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> > groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
> > 
> > 
> > 
> > vas:
> > 
> > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> > groups=2604370(admpatrick_wheeler),
> > 1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
> > 
> > 
> > 
> > diff is:
> > 
> > 1033(amer_server_mgmt)
> > 
> > 1003(amerlinuxsup)
> > 
> > 
> > 
> > amer_server_mgmt is an AMER global group with GID 1033.  <--- why is sssd
> > not reporting this?!?
> 
> Can you send logs for a single lookup of "id username" with tokengroups
> enabled?
> 
> > 
> > amerlinuxsup is an AMER universal group with GID 1003.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Here is my /etc/sssd/sssd.conf file:
> > 
> > [nss]
> > debug_level = 9
> > filter_groups = root
> > filter_users = root
> > #entry_cache_timeout = 300
> > entry_cache_nowait_percentage = 75
> > 
> > [sssd]
> > debug_level = 6
> > #domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com
> > domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
> > # Unnecessary.  If missing, will search in order specified in "domains"
> > lines above.
> > #domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
> > japn.dell.com, dell.com
> > config_file_version = 2
> > services = nss,pam
> > reconnection_retries = 3
> > #ldap_user_member_of = member
> > 
> > [pam]
> > pam_verbosity = 3
> > debug_level = 9
> > 
> > [domain/amer.dell.com]
> > debug_level = 9
> > id_provider = ad
> > access_provider = simple
> > #access_provider = ad
> > auth_provider = ad
> > ad_domain = amer.dell.com
> > krb5_realm = AMER.DELL.COM
> > default_shell = /bin/bash
> > #use_fully_qualified_names = False
> > ldap_id_mapping = False
> > subdomains_provider = none
> 
> Why do you disable the subdomains provider? Isn't it easier to just list
> the domains you want to enable using the ad_enabled_domains option?
> 
> btw this can actually cause issues because the subdomains provider is
> needed to fetch the joined domain SID at least, among other things.
> 
> I would change this to:
> ad_enabled_domains = amer.dell.com
> 
> > 
> > auto_private_groups = True
> > realmd_tags = joined-with-adcli
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > fallback_homedir = /home/%u
> > ldap_schema = rfc2307bis
> 
> Please don't set ldap_schema to anything else than 'ad' (the default)
> with id_provider=ad. We should probably just disallow changing the
> schema in the code completely.
> 
> > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
> > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> > #ldap_sasl_authid = spikerealm...@amer.dell.com
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com,
> > japn.dell.com,dell.com
> > dyndns_update = False
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = amerlinux...@amer.dell.com, 
> > amerlinux...@amer.dell.com,
> > emealinux...@emea.dell.com, AMER.DELL.COM, emealinux...@emea.dell.com,
> > apaclinux...@emea.dell.com, apaclinux...@emea.dell.com
> > 
> > # also look at
> > https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html
> > 
> > [domain/apac.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain = apac.dell.com
> > krb5_realm = APAC.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
> > ldap_schema = rfc2307bis
> > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
> > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> > #ldap_sasl_authid = spikerealm...@amer.dell.com
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com,
> > japn.dell.com, dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = apaclinux...@apac.dell.com, apaclinux...@apac.dell.com
> > 
> > [domain/emea.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain = emea.dell.com
> > krb5_realm = EMEA.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
> > ldap_schema = rfc2307bis
> > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
> > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> > #ldap_sasl_authid = spikerealm...@amer.dell.com
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
> > japn.dell.com, dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = emealinux...@emea.dell.com, emealinux...@emea.dell.com
> > 
> > [domain/japn.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain = japn.dell.com
> > krb5_realm = JAPN.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
> > ldap_schema = rfc2307bis
> > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com
> > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> > #ldap_sasl_authid = spikerealm...@amer.dell.com
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com,
> > japn.dell.com, dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = japnlinux...@japn.dell.com, japnlinux...@japn.dell.com
> 
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VJFDAHDRDQPRW6WXT5MZA5KQHSW4KMEQ/
> <sssd_amer.dell.com.log><sssd_nss.log>_______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/MALPUOXZFB7VTK6JZCGGIKZTIXHFMJZU/
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/SRT5K7VHD654TOEJTXZW5HH53VQTYA4A/

Reply via email to