> On 22 Jul 2018, at 20:49, Spike White <spikewhit...@gmail.com> wrote: > > I can't replicate that "duplicate domains" situation any more. (I thought > I'd saved that sssd.conf file, but it doesn't exhibit the same behaviour). > > Here are the logs for a specific account failing to look up all groups with > ldap_use_tokengroups = True. > > Logs are at this URL: > https://www.dropbox.com/sh/l37pj104qkrqxfa/AACuKgaQjWZ4MVr1NdEogbcMa?dl=0 > > I have included the realmd.conf, sssd.conf and krb5.conf as well. > > Here's (incorrect) result back from sssd with ldap_use_tokengroups = True > > [root@spikerealmd02 sssd]# id admpatrick_wheeler > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > groups=2604370(admpatrick_wheeler),1010(amerunixusers) >
Thank you, now the logs are more helpful. What I see is repetition of “cant find domain for $SID”. And I believe this is because the subdomains provider is disabled, because (quite confusingly) the subdomains provider is also responsible for fetching information about the joined domain, like its SID or the NetBIOS name. So I think there are three options: 1) add ad_enabled_domains=$self to each of the domains, e.g. add ad_enabled_domains=amer.dell.com to the amer.dell.com domain. This should make sssd fetch info about that domain only. I know you wrote earlier that this gave you some other headaches, but if it does, then there’s another bug.. 2) try to help sssd by setting the domain SID manually with the ldap_idmap_default_domain_sid option 3) just use tokengroups=false as a workaround. > Here is correct result back when ldap_use_tokengropus = False: > > [root@spikerealmd02 sssd]# id admpatrick_wheeler > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > groups=2604370(admpatrick_wheeler),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport),1010(amerunixusers),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),1033(amer_server_mgmt),1003(amerlinuxsup) > > this is sssd version 1.16.0 > > Spike > > > Thanks, this is more helpful > > On Thu, Jul 19, 2018 at 4:15 AM Jakub Hrozek <jhro...@redhat.com> wrote: > > > > On 13 Jul 2018, at 17:40, Spike White <spikewhit...@gmail.com> wrote: > > > > Jakub, > > > > Thank you to answering so promptly. > > > > We are currently testing this in a lab before full deployment, so I have > > some degree of time before we deploy sssd in a bigger context. If you > > would prefer for me to work with you directly off-line, please advise. As > > an example, the attached sssd_amer.dell.com.log file was originally 40 MB. > > (I presume because of debugging level). Out of respect for others on the > > mailing list, I severely trimmed the log file to only the lines of interest > > (I hope). But it's entirely possible I may have over-trimmed. > > > > I’m afraid so, because the logs say: > > (Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [tokenGroups] > …. > > and I’m really interested in this part :-) > > (Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]] > [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for > [admpatrick_whee...@amer.dell.com] > ... > (Fri Jul 13 09:25:48 2018) [sssd[be[amer.dell.com]]] > [sdap_asq_search_parse_entry] (0x2000): Matched objectclass [user] on DN > [CN=AdmPatrick_Wheeler,OU=AdmAccounts,DC=amer,DC=dell,DC=com], will use > associated map > > > > You asked: > > Can you send logs for a single lookup of "id username" with tokengroups > > enabled? > > > > Attached are the logs. sssd_amer.dell.com.log and sssd_nss.log, for this > > lookup: > > > > [root@spikerealmd02 sssd]# id admpatrick_wheeler > > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > > groups=2604370(admpatrick_wheeler),1010(amerunixusers) > > > > This is with ldap_use_tokengroups = True, so the above lookup is incorrect. > > > > What it should show is: > > id admpatrick_wheeler > > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > > groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers) > > > > You asked: > > Why do you disable the subdomains provider? Isn't it easier to just list > > the domains you want to enable using the ad_enabled_domains option? > > > > btw this can actually cause issues because the subdomains provider is > > needed to fetch the joined domain SID at least, among other things. > > > > When I ran with: > > ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com, > > japn.dell.com, dell.com > > > > it broke cross-subdomain authentication. that is, I could resolve accounts > > from the local domain (AMER), but not from any other domain (like apac). > > When I reviewed the logs, I saw the sssd_nss.log would do a dispatch to the > > apac.dell.com child, but the dispatch would always fail. > > > > In sssd_apac.dell.com.log -- the dispatch was never picked up. > > Interesting, do you still have the logs around? > > > > > I also noticed that sssctl domain-list gave me this: > > amer.dell.com > > apac.dell.com > > emea.dell.com > > japn.dell.com > > dell.com > > amer.dell.com > > apac.dell.com > > emea.dell.com > > japn.dell.com > > Including the duplicate domains? That sounds like a bug.. > > > > > I suspect that sssd_nss was attempting to dispatch into this apac.dell.com > > "ghost" domain and failing. When I removed ad_enabled_domains (& commented > > out dell.com as a domain), I noticed sssctl domain-list gave me the > > expected: > > > > amer.dell.com > > apac.dell.com > > emea.dell.com > > japn.dell.com > > > > And cross-subdomain authentication worked (modulo this tokengroups problem > > where not all groups show up when tokengroups == True). > > > > You stated: > > > ldap_schema = rfc2307bis > > > > Please don't set ldap_schema to anything else than 'ad' (the default) with > > id_provider=ad. > > > > Unfortunately, our erstwhile AD administrators when they extended our AD > > schema years ago did not use an rfc2307 schema extension. They used a > > rfc2307bis schema extension instead. > > > > I had fits with even basic sssd AD integration until I realized this. (I > > thought I was going to have to manually set up ldap_filters for the few > > quirky LDAP attributes associated with an account, but then I realized this > > conformed 100% to rfc2307bis.) When I set ldap_schema to rfc2307bis, the > > basic (same domain) authentication worked (without tokengroups). > > > > I meant something else. Internally in SSSD, ldap_schema=ad is a superset of > rfc2307bis with some defaults tuned to be AD-specific. And the AD provider > really does not expect the schema to be set to anything else, moreover there > are some branches in the underlying LDAP provider (the AD provider is a > wrapper around the LDAP provider more or less) that check if the schema is > set to “ad” to follow some AD specific branch. > > > Spike > > > > On Tue, Jul 10, 2018 at 9:59 AM Jakub Hrozek <jhro...@redhat.com> wrote: > > On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote: > > > All, > > > > > > Below is a writeup of missing AD groups for accounts when using > > > tokengroups. When not using tokengroups, sssd is rock solid. > > > > > > Yes, most of the missing AD groups are universal or global groups -- but > > > not all! For some accounts, even domain-local AD groups are missed from > > > their group memberships. (when using tokengroups). > > > > [...] > > > > > tokengroups-disabled SSSD: > > > > > > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > > > groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport) > > > > > > > > > > > > vas: > > > > > > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) > > > groups=2604370(admpatrick_wheeler), > > > 1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers) > > > > > > > > > > > > diff is: > > > > > > 1033(amer_server_mgmt) > > > > > > 1003(amerlinuxsup) > > > > > > > > > > > > amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd > > > not reporting this?!? > > > > Can you send logs for a single lookup of "id username" with tokengroups > > enabled? > > > > > > > > amerlinuxsup is an AMER universal group with GID 1003. > > > > > > > > > > > > > > > > > > > > > > > > Here is my /etc/sssd/sssd.conf file: > > > > > > [nss] > > > debug_level = 9 > > > filter_groups = root > > > filter_users = root > > > #entry_cache_timeout = 300 > > > entry_cache_nowait_percentage = 75 > > > > > > [sssd] > > > debug_level = 6 > > > #domains = > > > amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com > > > domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com > > > # Unnecessary. If missing, will search in order specified in "domains" > > > lines above. > > > #domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com, > > > japn.dell.com, dell.com > > > config_file_version = 2 > > > services = nss,pam > > > reconnection_retries = 3 > > > #ldap_user_member_of = member > > > > > > [pam] > > > pam_verbosity = 3 > > > debug_level = 9 > > > > > > [domain/amer.dell.com] > > > debug_level = 9 > > > id_provider = ad > > > access_provider = simple > > > #access_provider = ad > > > auth_provider = ad > > > ad_domain = amer.dell.com > > > krb5_realm = AMER.DELL.COM > > > default_shell = /bin/bash > > > #use_fully_qualified_names = False > > > ldap_id_mapping = False > > > subdomains_provider = none > > > > Why do you disable the subdomains provider? Isn't it easier to just list > > the domains you want to enable using the ad_enabled_domains option? > > > > btw this can actually cause issues because the subdomains provider is > > needed to fetch the joined domain SID at least, among other things. > > > > I would change this to: > > ad_enabled_domains = amer.dell.com > > > > > > > > auto_private_groups = True > > > realmd_tags = joined-with-adcli > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > fallback_homedir = /home/%u > > > ldap_schema = rfc2307bis > > > > Please don't set ldap_schema to anything else than 'ad' (the default) > > with id_provider=ad. We should probably just disallow changing the > > schema in the code completely. > > > > > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com > > > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM > > > #ldap_sasl_authid = spikerealm...@amer.dell.com > > > #TEST REMOVAL. July 4 2018. SW > > > #ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com, > > > japn.dell.com,dell.com > > > dyndns_update = False > > > # TEST -- commented out July 4 to not use tokengroups. > > > ldap_use_tokengroups = False > > > simple_allow_groups = amerlinux...@amer.dell.com, > > > amerlinux...@amer.dell.com, > > > emealinux...@emea.dell.com, AMER.DELL.COM, emealinux...@emea.dell.com, > > > apaclinux...@emea.dell.com, apaclinux...@emea.dell.com > > > > > > # also look at > > > https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html > > > > > > [domain/apac.dell.com] > > > debug_level = 9 > > > auto_private_groups = True > > > #use_fully_qualified_names = False > > > ad_domain = apac.dell.com > > > krb5_realm = APAC.DELL.COM > > > cache_credentials = True > > > id_provider = ad > > > auth_provider = ad > > > krb5_store_password_if_offline = True > > > default_shell = /bin/bash > > > ldap_id_mapping = False > > > fallback_homedir = /home/%u > > > access_provider = simple > > > ldap_schema = rfc2307bis > > > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com > > > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM > > > #ldap_sasl_authid = spikerealm...@amer.dell.com > > > #TEST REMOVAL. July 4 2018. SW > > > #ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com, > > > japn.dell.com, dell.com > > > dyndns_update = False > > > subdomains_provider = none > > > # TEST -- commented out July 4 to not use tokengroups. > > > ldap_use_tokengroups = False > > > simple_allow_groups = apaclinux...@apac.dell.com, > > > apaclinux...@apac.dell.com > > > > > > [domain/emea.dell.com] > > > debug_level = 9 > > > auto_private_groups = True > > > #use_fully_qualified_names = False > > > ad_domain = emea.dell.com > > > krb5_realm = EMEA.DELL.COM > > > cache_credentials = True > > > id_provider = ad > > > auth_provider = ad > > > krb5_store_password_if_offline = True > > > default_shell = /bin/bash > > > ldap_id_mapping = False > > > fallback_homedir = /home/%u > > > access_provider = simple > > > ldap_schema = rfc2307bis > > > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com > > > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM > > > #ldap_sasl_authid = spikerealm...@amer.dell.com > > > #TEST REMOVAL. July 4 2018. SW > > > #ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com, > > > japn.dell.com, dell.com > > > dyndns_update = False > > > subdomains_provider = none > > > # TEST -- commented out July 4 to not use tokengroups. > > > ldap_use_tokengroups = False > > > simple_allow_groups = emealinux...@emea.dell.com, > > > emealinux...@emea.dell.com > > > > > > [domain/japn.dell.com] > > > debug_level = 9 > > > auto_private_groups = True > > > #use_fully_qualified_names = False > > > ad_domain = japn.dell.com > > > krb5_realm = JAPN.DELL.COM > > > cache_credentials = True > > > id_provider = ad > > > auth_provider = ad > > > krb5_store_password_if_offline = True > > > default_shell = /bin/bash > > > ldap_id_mapping = False > > > fallback_homedir = /home/%u > > > access_provider = simple > > > ldap_schema = rfc2307bis > > > ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com > > > #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM > > > #ldap_sasl_authid = spikerealm...@amer.dell.com > > > #TEST REMOVAL. July 4 2018. SW > > > #ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com, > > > japn.dell.com, dell.com > > > dyndns_update = False > > > subdomains_provider = none > > > # TEST -- commented out July 4 to not use tokengroups. > > > ldap_use_tokengroups = False > > > simple_allow_groups = japnlinux...@japn.dell.com, > > > japnlinux...@japn.dell.com > > > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/ > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VJFDAHDRDQPRW6WXT5MZA5KQHSW4KMEQ/ > > <sssd_amer.dell.com.log><sssd_nss.log>_______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/MALPUOXZFB7VTK6JZCGGIKZTIXHFMJZU/ > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/SRT5K7VHD654TOEJTXZW5HH53VQTYA4A/ > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/TDMIDKUPYNDITEMCO7BXVNAVGRUVNGHW/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VGH6T4FDFL7MI4NZFMOP5MQDTSD6GYKE/
