On Thu, 2015-01-08 at 21:19 -0500, Dmitri Pal wrote: > On 01/08/2015 08:33 PM, Brendan Kearney wrote: > > i am so close yet so far... > > > > i have an older env with ldap, kerberos, sasl and sssd using rfc2307. > > Are you talking about server or client? > Is your server IPA or something else? > > If your server is IPA then if you want to use 2307bis you point clients > to the main user tree. > If you want clients that do not understand 2307bis (for example solaris) > you need to enable compat plugin and point clients to cn=compat. > > If SSSD is configured to use 2307bis but server is 2307 or vice verse > SSSD will have problems fetching groups. > > i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis. > > i am finding that when i ssh into one of the new boxes and run "id", i > > am only getting back: > > > > uid=1000(brendan) gid=1000(brendan) groups=1000(brendan) > > > > the info is all the rfc2307/posix info, and not any of the rfc2307bis > > info. i am a member of several other groups that are groupOfNames > > objects, but the "id" command is not returning them. > > > > is there a client side config that i am missing, in order to get the > > group memberships of groupOfNames groups? i imagine i could add the > > posixAccount object class to those groupOfNames groups, but wanted to > > make sure that was the only/right way to do things before i did it. > > man sssd-ldap > > > > > i am not clueless, just have one clue less... > > > > brendan > > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > >
my new environment is 2 servers and a client. the servers are fedora 20, with ldap, kerberos, sasl and sssd, but not IPA. the client is fedora 20 with sssd. in both/all cases, they are rfc2307bis. i have read the sssd man pages, but i am not sure what i am missing. the client sssd.conf: [sssd] domains = bpk2.com services = nss, pam, sudo config_file_version = 2 #debug_level = 4 [nss] filter_groups = root filter_users = root [pam] [sudo] [domain/bpk2.com] #debug_level = 4 id_provider = ldap ldap_schema = rfc2307bis ldap_uri = _srv_,ldap://ldap1.bpk2.com,ldap://ldap2.bpk2.com ldap_search_base = dc=bpk2,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/nas.bpk2.com ldap_sasl_realm = BPK2.COM auth_provider = krb5 krb5_server = _srv_,kerberos.bpk2.com krb5_realm = BPK2.COM krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_renew_interval = 1h krb5_store_password_if_offline = true cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=SUDO Groups,ou=Roles,dc=bpk2,dc=com #ldap_sudo_full_refresh_interval=86400 #ldap_sudo_smart_refresh_interval=3600 #min_id = 1000 #max_id = 2000 enumerate = false _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
