Hello I'm struggle with configuration of sssd to retrieve group information defined in a subdomain. I would have your support to solve my issue.
Here is my AD configuration. There are 3 AD servers. Root Domain labroot.example.com (just for top AD management) Sub Domain labsso.labroot.example.com (user, global group and universal group are defined here) Subsub Domain labbu.labsso.labroot.example.com (local domain group is defined here) I created a user and groups in those AD servers as below. User/Groups in Domain sso.example.com ======================== User test_user (MemberOf=G-Group-Server) Group G-Role-ISOps-Server (Type: Global Group, Members=test_user, MemberOf=U-Role-ISOps-Server) Group U-Role-ISOps-Server (Type: Universal Group, Members=G-Role-ISOps-Server) User/Groups in Domain sso.example.com ======================== Group D-Role-Server (Type: Domain Local Group, Members=U-Role-ISOps-Server) As for SSSD, I tried to use both "1.11.6" and "1.12.1" with "AD provider" as backend. I expected to get all groups (G-Role-ISOps-Server, U-Role-ISOps-Server and D-ISOps-Server) as a result of "id test_user" command. But I could not find domain local group (D-Role-ISOps-Server) in groups of the user "test_user". as the result of "id test_user" command. I also could not find any members as the result of "getent group D-Role-ISOps-Server" command. I tried to use single domain (sso-ad-ad) and multiple domains (sso-ad-ad and bu-ad-ad) in sssd configuration, but the result is the almost same. (when I use sso-ad-ad domain only, I could not get anything as result of "getent group d-role-isops-server"). # id test_user uid=638201126(test_user) gid=638200513(domain users) groups=638200513(domain users),638201113(g-role-server),638201118(u-role-server),638200512(domain admins) # getent group d-role-isops-server d-role-isops-server:*:927601110: I'm not sure how SSSD AD provider searches group information based on members/memberOf attributes, I suspect missing "memberOf" in universal group (U-Role-*) and "member of domain local group" (U-Role-ISOps-Server) is out of scope of LABBU domain might be clue of my issue. Please advise me what's wrong on my configuration and resolution of my issue. Thanks in advance. Shoji *** Configurations and LDAP search results *** sssd.conf file ========== [sssd] config_file_version = 2 services = nss, pam domains = sso-ad-ad, bu-ad-ad # domains = sso-ad-ad [nss] fallback_homedir = /home/SSO/%u default_shell = /bin/bash [pam] [domain/sso-ad-ad] id_provider = ad auth_provider = ad access_provider = ad ad_server = jpbw0-in00-is82.labsso.labroot.isops.example.com ad_hostname = jpbw0-in00-is82.labsso.labroot.isops.example.com ldap_schema = ad ad_enable_gc = true ldap_id_mapping = true debug_level = 1 [domain/bu-ad-ad] id_provider = ad auth_provider = ad chpass_provider = ad ad_server = jpbw0-in00-is81.labbu.labsso.labroot.isops.example.com ad_hostname = jpbw0-in00-is81.labbu.labsso.labroot.isops.example.com ldap_id_mapping = true debug_level = 1 LDAP Search in Global Catalog of LABSSO ================================== I can search the domain local group in the global catalog. [root@jpbl0-in00-is11 providers]# ldapsearch -Y GSSAPI -LLL -H "ldap:// jpbw0-in00-is82.labsso.labroot.isops.example.com:3268" -b "DC=labsso,DC=labroot,DC=isops,DC=example,DC=com" "(&(name=d-role-isops-server)(objectclass=group)(name=*))" SASL/GSSAPI authentication started SASL username: host/ jpbl0-in00-is11.lab.isops.ibm....@labsso.labroot.isops.example.com SASL SSF: 56 SASL data security layer installed. dn: CN=D-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=labroot,DC=isops,DC=example,DC=com objectClass: top objectClass: group cn: D-Role-ISOps-Server description: Server Team distinguishedName: CN=D-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=labroot,DC=isops,DC=example,DC=com instanceType: 0 whenCreated: 20131029185150.0Z whenChanged: 20131029185448.0Z uSNCreated: 17964 uSNChanged: 18034 name: D-Role-ISOps-Server objectGUID:: YflnJQk4IUK4YUAHO43J6w== objectSid:: AQUAAAAAAAUVAAAAml0mRju+InNXWri7VgQAAA== sAMAccountName: D-Role-ISOps-Server sAMAccountType: 536870912 groupType: -2147483644 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com dSCorePropagationData: 16010101000000.0Z LDAP Search in LABSSO ==================== I can not search the domain local group in normal domain. [root@jpbl0-in00-is11]# ldapsearch -Y GSSAPI -LLL -H "ldap:// jpbw0-in00-is82.labsso.labroot.isops.example.com" -b "DC=labsso,DC=labroot,DC=isops,DC=example,DC=com" "(&(name=d-role-isops-server)(objectclass=group)(name=*))" SASL/GSSAPI authentication started SASL username: host/ jpbl0-in00-is11.lab.isops.example....@labsso.labroot.isops.example.com SASL SSF: 56 SASL data security layer installed. # refldap:// labbu.labsso.labroot.isops.example.com/DC=labbu,DC=labsso,DC=labroot, DC=isops,DC=example,DC=com # refldap:// DomainDnsZones.labsso.labroot.isops.example.com/DC=DomainDnsZones,DC= labsso,DC=labroot,DC=isops,DC=example,DC=com
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
