[SSSD-users] Re: getent group empty output - no members shown

Fri, 29 Mar 2019 08:49:22 -0700 

On Fri, Mar 29, 2019 at 9:25 AM Hans Schou <h...@miracle.dk> wrote:

> "getent group <name>" does not give any output at all.
> However "getent passwd" looks correctly up in the AD:
>
> $ getent passwd zmir2
> zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash
> $ grep -c ^zmir2 /etc/passwd
> 0
>
> nsswitch looks fine:
> $ egrep "^(group|passwd)" /etc/nsswitch.conf
> passwd:     files sss
> group:      files sss
>
> …
>
> # cat /etc/sssd/sssd.conf
> [sssd]
> domains = foo.org
> config_file_version = 2
> services = nss, pam
> [domain/foo.org]
> ad_domain = foo.org
> krb5_realm = FOO.ORG
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> access_provider = ad
>
> All on Red Hat 7.6.
>
> The goal is to use an AD group in a samba share but it obviously
> does not lookup groups in the AD, only specific users.

Two things to check:

1. You are setting ldap_id_mapping = False, so that means sssd will
   only map groups that have the gidNumber attribute.  If there is no
   gidNumber attribute on the group, sssd ignores it.

2. sssd only maps only security groups (universal, domain local,
   global).

In terms of #2, here are the AD group types, with an asterisk next to
the ones that sssd maps:

    * groupType: -2147483646 (global security group)
    * groupType: -2147483644 (domain local security group)
      groupType: -2147483643 (builtin group)
    * groupType: -2147483640 (universal security group)
      groupType:           2 (global distribution group)
      groupType:           4 (local distribution group)
      groupType:           8 (universal distribution group)

If you want sssd to map a universal distribution group, you will need
to change it to be a mail-enabled universal security group instead.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to