This problem is improved now. We had bad guidance for populating our OpenLDAP server. The memberUid field had been populated with the DN instead of the username only. This seemed to be causing the "id", "groups" and "getent groups" commands to choke and not be able to parse the SSSD cache correctly (even though SSSD was respecting group memberships correctly). When we corrected the LDAP entries to only have the username (not "uid=username", not "[email protected]", just username). The three commands worked correctly.
Now things work smoothly....except...adding or removing users from a group works on the OpenLDAP side, but SSSD still sticks to the previous information. When I add/remove a user to/from a group, the id/groups/getent commands reflect the update, but using chgrp command fails/succeeds even though I have flushed SSSD cache (sss_cache -E and also sss_cache -G) and also restarted SSSD. The add/remove delay is where we are stuck now. -- Shannon Price Auburn University -----Original Message----- From: Shannon Price via sssd-users <[email protected]> Sent: Wednesday, April 16, 2025 12:44 PM To: [email protected] Cc: Shannon Price <[email protected]> Subject: [SSSD-users]Auth via AD, ID via OpenLDAP (getent and id problem) We are testing a new SSSD configuration and we're almost there. Our campus Active Directory does not populate the RFC2307 fields (also there are several different Linux enclaves on campus). Authentication is done against campus AD. We have ID mapping pointing at a different LDAP server (OpenLDAP on RHEL 8.7). Our test client is RHEL 8.6. Our current successful setup is show below. We would like to avoid anything that is too obscure or not recommended. We have not found this to be a common configuration (not many examples). It is working for us, however. . Install realm and sssd . realmjoin to our domain (actually I used adcli to avoid DynamicDNS failures) . Configured [sssd.conf]: [sssd] domains = university.edu config_file_version = 2 services = nss, pam debug_level = 8 [domain/university.edu] ad_domain = university.edu dyndns_update = false krb5_realm = UNIVERSITY.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True auth_provider = ad id_provider = ldap ldap_uri = ldap://ldaptest.university.edu ldap_default_bind_dn = cn=readonly,ou=system,dc=university,dc=edu ldap_default_authtok = read_only_password krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True [nsswitch.conf] passwd: sss files systemd group: sss files systemd (I've tried without "systemd" as well) (We had initial problems configuring TLS, so we will address that next) PROBLEM: SSSD is correctly authenticating and pulling information from LDAP correctly. My UID and group memberships are correct. SSSD knows all of the groups and memberships. The "id" command only shows my default group. The "getent group [email protected]" command gives an error: error writing group entry: Invalid argument Is there any fix for these? I found an older reference to "sss_showgroup", but that utility doesn't seem to be included in sss-utils anymore. We are running sssd 2.9.4. -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
