On Thu, Jul 05, 2018 at 08:09:55PM +0000, Ratliff, John wrote: > On Thu, 2018-07-05 at 21:44 +0200, Sumit Bose wrote: > > On Thu, Jul 05, 2018 at 07:36:19PM +0000, Ratliff, John wrote: > > > I'm using SSSD and realmd to join a machine to active directory. > > > > > > When I run id on my user, I only get the primary group. If I run > > > getent > > > group "groupname", it works...sometimes. Other times, it returns > > > blank. > > > > > > This is on a CentOS 7 machine (sssd 1.16.0) > > > > > > $ id jdratlif > > > uid=752603752(jdratlif) gid=1572000513(domain users) > > > groups=1572000513(domain users) > > > > > > $ getent group ssh-test-users2 > > > ssh-test-users2:*:752629809: > > > > What is the scope is the group ('domain local', 'global' or > > 'universal')? > > > > Did you log in as jdratlif before running those commands? > > > > The scope is universal. > > I was logged in as root at the time. But I've logged in as that user > prior to running those commands. > > I logged in as the user and ran the commands again with the same > result. > > It seems if I clear the cache, then run the getent command, it has the > group membership. But when I run the id command, the getent command > loses the group membership. I cannot get it back without clearing the > sssd cache.
Thank you for the logs. It looks like the tokenGroups LDAP lookup which SSSD uses be default does not work as expected because it returns no results: (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server] (0x2000): Searching 134.68.239.131:389 (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] (0x2000): Trace: sh[0x564b5d62f090], connected[1], ops[(nil)], ldap[0x564b5d62d1e0] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] (0x1000): Entry has no attributes [0(Success)]!? (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for [jdrat...@ads.iu.edu] (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [ldb] (0x4000): start ldb transaction (nesting: 0) this makes SSSD assume that the user is not a member of any group. Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for details) and check if the group memberships are reported more reliable. Afaik the issue with the tokenGroups might indicate that the used AD DC has issues reaching a Global Catalog server. HTH bye, Sumit > > > > > > > $ sss_cache -E > > > $ getent group ssh-test-users2 > > > ssh-test-users2:*:752629809:jdratlif > > > > > > $ id jdratlif > > > uid=752603752(jdratlif) gid=1572000513(domain users) > > > groups=1572000513(domain users) > > > > > > $ getent group ssh-test-users2 > > > ssh-test-users2:*:752629809: > > > > > > $ id jdratlif > > > uid=752603752(jdratlif) gid=1572000513(domain users) > > > groups=1572000513(domain users) > > > > > > This was all in the span of 2 minutes. > > > > > > Let me know what other information would be helpful. > > > > Debug logs with debug_level=9 would be helpful, especially the domain > > logs and the sssd_nss.log. Please see > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html for > > details. > > I have attached the requested logs. > > Thanks. > > > > > bye, > > Sumit _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/P4LJ6EM7QU3O7DTNYNL3TKJGFFWWUZ3R/