Hi,

I'm about to move our FreeIPA platform into production on Monday but I've
just noticed a worrying issue with sssd - getent group is not showing group
members and id is not showing secondary groups.

Currently all our servers are configured with sssd using our old LDAP
(389-ds) as a backend. It works great, id shows all my secondary groups:

# id peter.pakos
uid=1396(peter.pakos) gid=511(Engineering)
groups=511(Engineering),718(DevOps),701(SSHAllow)

After re-configuring sssd to use FreeIPA's LDAP directory, id is only
showing primary group, the secondary groups are missing:

# id peter.pakos
uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)

Similarly, getent is not showing group members:

# getent group engineering
engineering:*:511:

Environment:

# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

This is an example sssd.conf file I'm using in my tests:

[domain/ipa.wandisco.com]
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://shdc01.ipa.wandisco.com,
ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com,
ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, pam
config_file_version = 2
domains = ipa.wandisco.com

[nss]

[pam]

[sudo]

[autofs]

[ssh]

Am I missing anything in the sssd configuration?

Any advice would be greatly appreciated.

-- 
Kind regards,
 Peter Pakos
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to