[SSSD-users] Re: SSSD LDAP provider fails to fetch nested groups (groups member of groups)

[Finn Fysj]

> Well, to debug this one needs:
>  - stop sssd
>  - remove old sssd logs (/var/log/sssd/)
>  - set 'debug_level = 9' in [nss] and domain sections of sssd.conf
>  - start sssd
>  - date; id UID
>  - capture logs

I can't pinpoint the problem, example from sssd_nss.log:
(2024-01-21 16:32:33): [nss] [sss_ncache_check_str] (0x2000): [CID#32926] 
Checking negative cache for [NCE/GROUP/default/prod-users@default]
(2024-01-21 16:32:33): [nss] [cache_req_search_done] (0x0400): [CID#32926] CR 
#294846: Returning updated object [GID:650612@default]
(2024-01-21 16:32:33): [nss] [cache_req_create_and_add_result] (0x0400): 
[CID#32926] CR #294846: Found 1 entries in domain default
(2024-01-21 16:32:33): [nss] [cache_req_done] (0x0400): [CID#32926] CR #294846: 
Finished: Success
(2024-01-21 16:32:33): [nss] [sss_ncache_check_str] (0x2000): [CID#32926] 
Checking negative cache for [NCE/USER/default/user1@default]
(2024-01-21 16:32:33): [nss] [sss_domain_get_state] (0x1000): [CID#32926] 
Domain default is Active
(2024-01-21 16:32:33): [nss] [sss_ncache_check_str] (0x2000): [CID#32926] 
Checking negative cache for [NCE/USER/default/user2@default]

The reason I get these two users is because they are direct members of the 
group: prod-users. I'm missing a user3, which is member of a group "devs", 
which is again member of prod-user:

IPA groups:
prod-users:
  users:
    member: user1
    member: user2
 groups:
    member: devs

devs:
  users:
    member: user3
> Then `sssctl analyze --logdir . request list` - it will list 'id'  -
> it will list something like "... [uid 0] CID #1: id"
> And `sssctl analyze --logdir . request show --merge 1` (where 1 is
> from CID #1) will show all log messages related to this lookup.

sssctl analyze didn't give anything that seemed interesting. 


I just don't understand what I'm missing and why sssd is not able to fetch it 
like nss-pam-ldapd.
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue