Here is correct result back when ldap_use_tokengropus = False:
[root@spikerealmd02 sssd]# id admpatrick_wheeler
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport),1010(amerunixusers),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),1033(amer_server_mgmt),1003(amerlinuxsup)
this is sssd version 1.16.0
Spike
On Thu, Jul 19, 2018 at 4:15 AM Jakub Hrozek<jhro...@redhat.com> wrote:
On 13 Jul 2018, at 17:40, Spike White<spikewhit...@gmail.com> wrote:
Jakub,
Thank you to answering so promptly.
We are currently testing this in a lab before full deployment, so I have some
degree of time before we deploy sssd in a bigger context. If you would prefer
for me to work with you directly off-line, please advise. As an example, the
attached sssd_amer.dell.com.log file was originally 40 MB. (I presume because
of debugging level). Out of respect for others on the mailing list, I severely
trimmed the log file to only the lines of interest (I hope). But it's entirely
possible I may have over-trimmed.
I’m afraid so, because the logs say:
(Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]] [sdap_parse_range]
(0x2000): No sub-attributes for [tokenGroups]
….
and I’m really interested in this part :-)
(Fri Jul 13 09:25:43 2018) [sssd[be[amer.dell.com]]]
[sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for
[admpatrick_whee...@amer.dell.com]
...
(Fri Jul 13 09:25:48 2018) [sssd[be[amer.dell.com]]]
[sdap_asq_search_parse_entry] (0x2000): Matched objectclass [user] on DN
[CN=AdmPatrick_Wheeler,OU=AdmAccounts,DC=amer,DC=dell,DC=com], will use
associated map
You asked:
Can you send logs for a single lookup of "id username" with tokengroups
enabled?
Attached are the logs. sssd_amer.dell.com.log and sssd_nss.log, for this
lookup:
[root@spikerealmd02 sssd]# id admpatrick_wheeler
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1010(amerunixusers)
This is with ldap_use_tokengroups = True, so the above lookup is incorrect.
What it should show is:
id admpatrick_wheeler
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
You asked:
Why do you disable the subdomains provider? Isn't it easier to just list
the domains you want to enable using the ad_enabled_domains option?
btw this can actually cause issues because the subdomains provider is
needed to fetch the joined domain SID at least, among other things.
When I ran with:
ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com
it broke cross-subdomain authentication. that is, I could resolve accounts
from the local domain (AMER), but not from any other domain (like apac). When
I reviewed the logs, I saw the sssd_nss.log would do a dispatch to the
apac.dell.com child, but the dispatch would always fail.
In sssd_apac.dell.com.log -- the dispatch was never picked up.
Interesting, do you still have the logs around?
I also noticed that sssctl domain-list gave me this:
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
dell.com
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
Including the duplicate domains? That sounds like a bug..
I suspect that sssd_nss was attempting to dispatch into this apac.dell.com "ghost"
domain and failing. When I removed ad_enabled_domains (& commented out dell.com as a
domain), I noticed sssctl domain-list gave me the expected:
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
And cross-subdomain authentication worked (modulo this tokengroups problem
where not all groups show up when tokengroups == True).
You stated:
ldap_schema = rfc2307bis
Please don't set ldap_schema to anything else than 'ad' (the default) with
id_provider=ad.
Unfortunately, our erstwhile AD administrators when they extended our AD schema
years ago did not use an rfc2307 schema extension. They used a rfc2307bis
schema extension instead.
I had fits with even basic sssd AD integration until I realized this. (I
thought I was going to have to manually set up ldap_filters for the few quirky
LDAP attributes associated with an account, but then I realized this conformed
100% to rfc2307bis.) When I set ldap_schema to rfc2307bis, the basic (same
domain) authentication worked (without tokengroups).
I meant something else. Internally in SSSD, ldap_schema=ad is a superset of
rfc2307bis with some defaults tuned to be AD-specific. And the AD provider
really does not expect the schema to be set to anything else, moreover there
are some branches in the underlying LDAP provider (the AD provider is a wrapper
around the LDAP provider more or less) that check if the schema is set to “ad”
to follow some AD specific branch.
Spike
On Tue, Jul 10, 2018 at 9:59 AM Jakub Hrozek<jhro...@redhat.com> wrote:
On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
All,
Below is a writeup of missing AD groups for accounts when using
tokengroups. When not using tokengroups, sssd is rock solid.
Yes, most of the missing AD groups are universal or global groups -- but
not all! For some accounts, even domain-local AD groups are missed from
their group memberships. (when using tokengroups).
[...]
tokengroups-disabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
vas:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),
1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
diff is:
1033(amer_server_mgmt)
1003(amerlinuxsup)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
not reporting this?!?
Can you send logs for a single lookup of "id username" with tokengroups
enabled?
amerlinuxsup is an AMER universal group with GID 1003.
Here is my /etc/sssd/sssd.conf file:
[nss]
debug_level = 9
filter_groups = root
filter_users = root
#entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[sssd]
debug_level = 6
#domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com
domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
# Unnecessary. If missing, will search in order specified in "domains"
lines above.
#domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
japn.dell.com, dell.com
config_file_version = 2
services = nss,pam
reconnection_retries = 3
#ldap_user_member_of = member
[pam]
pam_verbosity = 3
debug_level = 9
[domain/amer.dell.com]
debug_level = 9
id_provider = ad
access_provider = simple
#access_provider = ad
auth_provider = ad
ad_domain = amer.dell.com
krb5_realm = AMER.DELL.COM
default_shell = /bin/bash
#use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
Why do you disable the subdomains provider? Isn't it easier to just list
the domains you want to enable using the ad_enabled_domains option?
btw this can actually cause issues because the subdomains provider is
needed to fetch the joined domain SID at least, among other things.
I would change this to:
ad_enabled_domains = amer.dell.com
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_schema = rfc2307bis
Please don't set ldap_schema to anything else than 'ad' (the default)
with id_provider=ad. We should probably just disallow changing the
schema in the code completely.
ldap_sasl_authid =host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid =SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid =spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com,
japn.dell.com,dell.com
dyndns_update = False
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups =amerlinux...@amer.dell.com,amerlinux...@amer.dell.com,
emealinux...@emea.dell.com, AMER.DELL.COM,emealinux...@emea.dell.com,
apaclinux...@emea.dell.com,apaclinux...@emea.dell.com
# also look at
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html
[domain/apac.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = apac.dell.com
krb5_realm = APAC.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid =host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid =SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid =spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups =apaclinux...@apac.dell.com,apaclinux...@apac.dell.com
[domain/emea.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = emea.dell.com
krb5_realm = EMEA.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid =host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid =SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid =spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups =emealinux...@emea.dell.com,emealinux...@emea.dell.com
[domain/japn.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain = japn.dell.com
krb5_realm = JAPN.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid =host/spikerealmd02.us.dell....@amer.dell.com
#ldap_sasl_authid =SPIKEREALMD02$@AMER.DELL.COM
#ldap_sasl_authid =spikerealm...@amer.dell.com
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com,
japn.dell.com, dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups =japnlinux...@japn.dell.com,japnlinux...@japn.dell.com
_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/
_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VJFDAHDRDQPRW6WXT5MZA5KQHSW4KMEQ/
<sssd_amer.dell.com.log><sssd_nss.log>_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/MALPUOXZFB7VTK6JZCGGIKZTIXHFMJZU/
_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/SRT5K7VHD654TOEJTXZW5HH53VQTYA4A/
_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/TDMIDKUPYNDITEMCO7BXVNAVGRUVNGHW/