Re: [SSSD-users] Domain group membership troubles with sssd and AD provider (1.12.2)

[Jakub Hrozek]

On Mon, Nov 10, 2014 at 05:18:16PM +0300, Sergey Urushkin wrote:
> I have sssd (1.12.2 on archlinux, 1.11.5 on ubuntu 14.04, 1.11.7 on ubuntu
> 14.10, i386) configured against samba4 (4.1.11, ubuntu 14.04, amd64) using
> AD provider:
> [sssd]
> config_file_version = 2
> reconnection_retries = 2
> services = nss, pam
> domains = DOMAIN.COM
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 2
> [pam]
> reconnection_retries = 2
> [domain/DOMAIN.COM]
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
> ldap_schema = ad
> ldap_user_gecos = displayName
> ldap_tls_reqcert = allow
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = nix$@DOMAIN.COM
> krb5_use_enterprise_principal = false
> krb5_keytab = /etc/sssd/sssd.keytab
> ldap_id_mapping = false
> dyndns_update = false
> cache_credentials = true
> enumerate = false
> min_id = 1
> 
> I have sudo and sshd configured to use groups:
> # grep group1 /etc/ssh/sshd_config
> AllowGroups root group1
> # grep group1 /etc/sudoers
> %group1       ALL=(ALL) ALL
> 
> User 'user4' is a member of several domain posix not nested groups,
> including 'group1'. No local group membership.
> After starting sssd (with empty /var/lib/sss). Authentication and local
> logon works fine. 'getent group' shows correct group members:
> # getent group group1
> group1:*:1013:user1,user2,user3,user4,user5
> ... but 'id' shows primary group only:
> # id user4
> uid=1104(user4) gid=513(domain users) groups=513(domain users)
> 
> Now, trying to use sudo (local):
> $ sudo -s
> [sudo] password for user4:
> user4 is not in the sudoers file.  This incident will be reported.
> 
> ...  or login remotely via ssh (sshd log message):
> User user4 from host.domain.com not allowed because none of user's groups
> are listed in AllowGroups
> 
> After this, 'id' output stays the same:
> # id user4
> uid=1104(user4) gid=513(domain users) groups=513(domain users)
> 
> But 'user4' dissapears from 'getent group' output:
> # getent group group1
> group1:*:1013:user1,user2,user3,user5
> 
> Restarting sssd doesn't fix the issue. User appears in group list again only
> after removing 'db/cache_DOMAIN.COM.ldb' file and restarting sssd. But
> disappears again after the same actions (ssh/sudo). Next options doesn't
> help too:
> ldap_id_mapping = true
> enumerate = true
> 
> winbind 4.1 works absolutely fine against the same AD server. So, I think
> the problem is about sssd...
> 
> Summary:
>  * sssd group membership ACL checks don't work. User disappears from 'getent
> group' output after such check.
>  * 'id' shows primary group only
> 
> Should I file a bug report?
> Thanks!

I think yes, also include sssd debug logs that capture the 'removal' of
the group memberships from the database.

Thanks!
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users