[SSSD-users] Re: sssd id getent and secondary groups in active directory

Sumit Bose Fri, 06 Jul 2018 01:56:41 -0700

On Thu, Jul 05, 2018 at 08:09:55PM +0000, Ratliff, John wrote:
> On Thu, 2018-07-05 at 21:44 +0200, Sumit Bose wrote:
> > On Thu, Jul 05, 2018 at 07:36:19PM +0000, Ratliff, John wrote:
> > > I'm using SSSD and realmd to join a machine to active directory.
> > > 
> > > When I run id on my user, I only get the primary group. If I run
> > > getent
> > > group "groupname", it works...sometimes. Other times, it returns
> > > blank.
> > > 
> > > This is on a CentOS 7 machine (sssd 1.16.0)
> > > 
> > > $ id jdratlif
> > > uid=752603752(jdratlif) gid=1572000513(domain users)
> > > groups=1572000513(domain users)
> > > 
> > > $ getent group ssh-test-users2
> > > ssh-test-users2:*:752629809:
> > 
> > What is the scope is the group ('domain local', 'global' or
> > 'universal')?
> > 
> > Did you log in as jdratlif before running those commands?
> > 
> 
> The scope is universal.
> 
> I was logged in as root at the time. But I've logged in as that user
> prior to running those commands.
> 
> I logged in as the user and ran the commands again with the same
> result.
> 
> It seems if I clear the cache, then run the getent command, it has the
> group membership. But when I run the id command, the getent command
> loses the group membership. I cannot get it back without clearing the
> sssd cache.


Thank you for the logs. It looks like the tokenGroups LDAP lookup which
SSSD uses be default does not work as expected because it returns no
results:

(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server] (0x2000): 
Searching 134.68.239.131:389
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with [no 
filter][CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu].
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [tokenGroups]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] 
(0x2000): ldap_search_ext called, msgid = 15
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_add] (0x2000): New 
operation 15 timeout 6
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] 
(0x2000): Trace: sh[0x564b5d62f090], connected[1], ops[(nil)], 
ldap[0x564b5d62d1e0]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] 
(0x2000): Trace: end of ldap_result list
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] 
(0x2000): Trace: sh[0x564b5d61dd00], connected[1], ops[0x564b5d63a360], 
ldap[0x564b5d5a0c60]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] (0x1000): 
OriginalDN: [CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu].
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] (0x1000): 
Entry has no attributes [0(Success)]!?
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] 
(0x2000): Trace: sh[0x564b5d61dd00], connected[1], ops[0x564b5d63a360], 
ldap[0x564b5d5a0c60]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_destructor] 
(0x2000): Operation 15 finished
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] 
[sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for 
[jdrat...@ads.iu.edu]
(Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [ldb] (0x4000): start ldb 
transaction (nesting: 0)

this makes SSSD assume that the user is not a member of any group.

Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for
details) and check if the group memberships are reported more reliable.

Afaik the issue with the tokenGroups might indicate that the used AD DC
has issues reaching a Global Catalog server.

HTH

bye,
Sumit

> 
> > > 
> > > $ sss_cache -E
> > > $ getent group ssh-test-users2
> > > ssh-test-users2:*:752629809:jdratlif
> > > 
> > > $ id jdratlif
> > > uid=752603752(jdratlif) gid=1572000513(domain users)
> > > groups=1572000513(domain users)
> > > 
> > > $ getent group ssh-test-users2
> > > ssh-test-users2:*:752629809:
> > > 
> > > $ id jdratlif
> > > uid=752603752(jdratlif) gid=1572000513(domain users)
> > > groups=1572000513(domain users)
> > > 
> > > This was all in the span of 2 minutes.
> > > 
> > > Let me know what other information would be helpful.
> > 
> > Debug logs with debug_level=9 would be helpful, especially the domain
> > logs and the sssd_nss.log. Please see
> > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html for
> > details.
> 
> I have attached the requested logs.
> 
> Thanks.
> 
> > 
> > bye,
> > Sumit
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/P4LJ6EM7QU3O7DTNYNL3TKJGFFWWUZ3R/

[SSSD-users] Re: sssd id getent and secondary groups in active directory

Reply via email to