Hi, I was wondering if anyone has successfully fixed this. I'm working on upgrading servers and client machines, and any time I use a newer SSSD package I'm unable to get groups for the users when they log in. (This is SSSD 1.16.1 on ubt18.04).
The problem can be summed up as, root@ubt18-test:# sssd --version 1.16.1 root@ubt18-test:# groups user1 user1 : groups: cannot find name for group ID 33111 33111 groups: cannot find name for group ID 33118 33118 root@ubt18-test:# getent group | grep 33111 unix_users:*:33111: root@ubt18-test:# groups user2 user2 : groups: cannot find name for group ID 33111 33111 root@ubt18-test:# su user2 groups: cannot find name for group ID 33111 user2@ubt18-test:$ groups groups: cannot find name for group ID 33111 33111 -- root@ubt18-test:# getent group unix_users unix_users:*:33111: root@ubt18-test:# groups user2 user2 : unix_users root@blair-ubt18-test:/var/log/sssd# groups user1 user1 : unix_users groups: cannot find name for group ID 33118 33118 This is an odd sequence of events, but notice that I can't get the group for a given user. It shows up only as GID. However, that GID _is_ listed in the output of `getent group`, so it's there, the system can see it, and SSSD is aware of it. Trying again, that gid still won't map to a name when I get the user's groups. The odd part is that if I get the group specifically (`getent group unix_users`), then the mapping for that group thereafter succeeds. Does anyone know what's going on? Of course, everything is working as expected with an earlier version -- 1.13.4. The only fix that I've seen is to recreate every LDAP group in the local groups file, but that seems contrary to the point of using LDAP. I'd like to avoid it. /etc/nsswitch.conf: #passwd: compat systemd sss #group: compat systemd sss passwd: compat sss group: compat sss # it's the same with/without systemd /etc/sssd/sssd.conf: [domain/LOCAL] enumerate = True id_provider = local max_id = 9999 min_id = 1000 [domain/MYDOMAIN] access_provider = simple auth_provider = krb5 debug_level = 0xFF0 cache_credentials = True chpass_provider = krb5 enumerate = True id_provider = ldap krb5_kpasswd = core-dc1.mydomain.cxm krb5_realm = mydomain.cxm krb5_renewable_lifetime = 7d krb5_server = core-dc1.mydomain.cxm ldap_default_authtok = thepassword ldap_default_authtok_type = password ldap_default_bind_dn = cn=LDAP Bind,ou=ServiceAccounts,ou=_ MyDomain,dc=mydomain,dc=cxm ldap_group_object_class = group ldap_group_search_base = OU=_MyDomain,DC=MYDOMAIN,DC=CXM ldap_search_base = DC=MYDOMAIN,DC=CXM ldap_tls_reqcert = never ldap_uri = ldap://core-dc1.mydomain.cxm ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_search_base = OU=_MyDomain,DC=MYDOMAIN,DC=CXM [nss] filter_groups = root filter_users = root reconnection_retries = 50 [pam] pam_verbosity = 3 reconnection_retries = 50 [sssd] config_file_version = 2 debug_level = 0xFF0 domains = LOCAL, MYDOMAIN reconnection_retries = 50 sbus_timeout = 5 services = nss, pam
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/GUANE7YHY4PAECJ3U7P3KYTXSUCZ2AWP/