On (10/11/14 17:18), Sergey Urushkin wrote: >I have sssd (1.12.2 on archlinux, 1.11.5 on ubuntu 14.04, 1.11.7 on ubuntu >14.10, i386) configured against samba4 (4.1.11, ubuntu 14.04, amd64) using AD >provider: I am not sure from rest of your mail which version of sssd is problematic? sssd-1.11.5 has some known issues.
BTW: log files from sssd-1-11.7 would be the best for troubeshooting. LS >[sssd] >config_file_version = 2 >reconnection_retries = 2 >services = nss, pam >domains = DOMAIN.COM >[nss] >filter_groups = root >filter_users = root >reconnection_retries = 2 >[pam] >reconnection_retries = 2 >[domain/DOMAIN.COM] >id_provider = ad >auth_provider = ad >chpass_provider = ad >access_provider = ad >ldap_schema = ad >ldap_user_gecos = displayName >ldap_tls_reqcert = allow >ldap_sasl_mech = gssapi >ldap_sasl_authid = [email protected] >krb5_use_enterprise_principal = false >krb5_keytab = /etc/sssd/sssd.keytab >ldap_id_mapping = false >dyndns_update = false >cache_credentials = true >enumerate = false >min_id = 1 > >I have sudo and sshd configured to use groups: ># grep group1 /etc/ssh/sshd_config >AllowGroups root group1 ># grep group1 /etc/sudoers >%group1 ALL=(ALL) ALL > >User 'user4' is a member of several domain posix not nested groups, including >'group1'. No local group membership. >After starting sssd (with empty /var/lib/sss). Authentication and local logon >works fine. 'getent group' shows correct group members: ># getent group group1 >group1:*:1013:user1,user2,user3,user4,user5 >... but 'id' shows primary group only: ># id user4 >uid=1104(user4) gid=513(domain users) groups=513(domain users) > >Now, trying to use sudo (local): >$ sudo -s >[sudo] password for user4: >user4 is not in the sudoers file. This incident will be reported. > >... or login remotely via ssh (sshd log message): >User user4 from host.domain.com not allowed because none of user's groups are >listed in AllowGroups > >After this, 'id' output stays the same: ># id user4 >uid=1104(user4) gid=513(domain users) groups=513(domain users) > >But 'user4' dissapears from 'getent group' output: ># getent group group1 >group1:*:1013:user1,user2,user3,user5 > >Restarting sssd doesn't fix the issue. User appears in group list again only >after removing 'db/cache_DOMAIN.COM.ldb' file and restarting sssd. But >disappears again after the same actions (ssh/sudo). Next options doesn't help >too: >ldap_id_mapping = true >enumerate = true > >winbind 4.1 works absolutely fine against the same AD server. So, I think the >problem is about sssd... > >Summary: > * sssd group membership ACL checks don't work. User disappears from 'getent >group' output after such check. > * 'id' shows primary group only > >Should I file a bug report? >Thanks! > >-- >Best regards, >Sergey Urushkin >_______________________________________________ >sssd-users mailing list >[email protected] >https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
