The next phase of this problem..... Group memberships work for local file systems, so SSSD is working correctly. My NFS servers are using a different name service (NIS). This is complicated as we are transitioning from a NIS/NFS environment to something using SSSD/OpenLDAP. If clients are in SSSD/OpenLDAP, but servers are in NIS then the changes need to be identical in both ID spaces. We can't wholesale flip the environment since is it so large, so we have to be mindful of every endpoint/server and where it gets it's ID information. Caching is still tripping us up right now, but we are chasing different services depending where they get their information. This is either fun or a nightmare...I'll report back when I know.
-- Shannon -----Original Message----- From: Shannon Price via sssd-users <[email protected]> Sent: Monday, April 21, 2025 3:27 PM To: End-user discussions about the System Security Services Daemon <[email protected]> Cc: Shannon Price <[email protected]> Subject: [SSSD-users]Re: Auth via AD, ID via OpenLDAP (getent and id problem) This problem is improved now. We had bad guidance for populating our OpenLDAP server. The memberUid field had been populated with the DN instead of the username only. This seemed to be causing the "id", "groups" and "getent groups" commands to choke and not be able to parse the SSSD cache correctly (even though SSSD was respecting group memberships correctly). When we corrected the LDAP entries to only have the username (not "uid=username", not "[email protected]", just username). The three commands worked correctly. Now things work smoothly....except...adding or removing users from a group works on the OpenLDAP side, but SSSD still sticks to the previous information. When I add/remove a user to/from a group, the id/groups/getent commands reflect the update, but using chgrp command fails/succeeds even though I have flushed SSSD cache (sss_cache -E and also sss_cache -G) and also restarted SSSD. The add/remove delay is where we are stuck now. -- Shannon Price Auburn University -----Original Message----- From: Shannon Price via sssd-users <[email protected]> Sent: Wednesday, April 16, 2025 12:44 PM To: [email protected] Cc: Shannon Price <[email protected]> Subject: [SSSD-users]Auth via AD, ID via OpenLDAP (getent and id problem) We are testing a new SSSD configuration and we're almost there. Our campus Active Directory does not populate the RFC2307 fields (also there are several different Linux enclaves on campus). Authentication is done against campus AD. We have ID mapping pointing at a different LDAP server (OpenLDAP on RHEL 8.7). Our test client is RHEL 8.6. Our current successful setup is show below. We would like to avoid anything that is too obscure or not recommended. We have not found this to be a common configuration (not many examples). It is working for us, however. . Install realm and sssd . realmjoin to our domain (actually I used adcli to avoid DynamicDNS failures) . Configured [sssd.conf]: [sssd] domains = university.edu config_file_version = 2 services = nss, pam debug_level = 8 [domain/university.edu] ad_domain = university.edu dyndns_update = false krb5_realm = UNIVERSITY.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True auth_provider = ad id_provider = ldap ldap_uri = ldap://ldaptest.university.edu ldap_default_bind_dn = cn=readonly,ou=system,dc=university,dc=edu ldap_default_authtok = read_only_password krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True [nsswitch.conf] passwd: sss files systemd group: sss files systemd (I've tried without "systemd" as well) (We had initial problems configuring TLS, so we will address that next) PROBLEM: SSSD is correctly authenticating and pulling information from LDAP correctly. My UID and group memberships are correct. SSSD knows all of the groups and memberships. The "id" command only shows my default group. The "getent group [email protected]" command gives an error: error writing group entry: Invalid argument Is there any fix for these? I found an older reference to "sss_showgroup", but that utility doesn't seem to be included in sss-utils anymore. We are running sssd 2.9.4. -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
