One stupid question - is there an easy(ish) way to tell how deep a group heirarachy exists on a particular site?
On 9 July 2018 at 13:36, Jakub Hrozek <[email protected]> wrote: > On Fri, Jul 06, 2018 at 01:41:38PM +0000, Ratliff, John wrote: > > > > > > On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote: > > > On Thu, Jul 05, 2018 at 08:09:55PM +0000, Ratliff, John wrote: > > > > > > > > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server] > > > (0x2000): Searching 134.68.239.131:389 > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > > [no filter][CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = > > > 15 > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_add] > > > (0x2000): New operation 15 timeout 6 > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d62f090], > > > connected[1], ops[(nil)], ldap[0x564b5d62d1e0] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_result] (0x2000): Trace: end of ldap_result list > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], > > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_message] (0x4000): Message type: > > > [LDAP_RES_SEARCH_ENTRY] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] > > > (0x1000): OriginalDN: [CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu]. > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry] > > > (0x1000): Entry has no attributes [0(Success)]!? > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00], > > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_process_message] (0x4000): Message type: > > > [LDAP_RES_SEARCH_RESULT] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), > > > no errmsg set > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_op_destructor] (0x2000): Operation 15 finished > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] > > > [sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for [ > > > [email protected]] > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [ldb] (0x4000): > > > start ldb transaction (nesting: 0) > > > > > > this makes SSSD assume that the user is not a member of any group. > > > > > > Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for > > > details) and check if the group memberships are reported more > > > reliable. > > > > > > Afaik the issue with the tokenGroups might indicate that the used AD > > > DC > > > has issues reaching a Global Catalog server. > > > > Thank you for the information. I don't know what to do about it at the > > moment. Adding that parameter makes id freeze when I run it. It seems > > to be unable to handle it when this parameter exists. > > If the group membership is very deep and complex, running id might take > a very long time because without using tokenGroups, the group hierarchy > must be traversed from the user "up". > > Looking at the debug logs might give a clue about what the sssd is > doing. > > > > > I'm unclear what you mean by AD DC has issues reaching the global > > catalog server. Do you mean my sever is having trouble, or the DC > > itself? > > > > One more thing I found interesting. I made another RHEL7 box and used > > winbind instead of sssd and group membership works fine there. > > > > I made another virtual machine and tried realmd/sssd again. I took it > > off the virtual machine NAT and gave it a public IP and disabled the > > firewall to make sure that wasn't causing any issues, but there was no > > change. > > > > This still feel like an sssd configuration problem to me, though I'm > > not sure what to do about it at the moment. > > > > Thanks for your assitance. > > > > -- > > John Ratliff > > Research Storage / UITS / Pervasive Technology Institute > > Indiana University | https://pti.iu.edu > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ > lists.fedorahosted.org/message/2FPUT7PHHJAYYKS57PUXPOG57OIJMGGW/ > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ > lists.fedorahosted.org/message/IJQRATBXMWV7E27RUJ5ESO3D53BTKPP6/ >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/JHGE7I2KLSZEYS3YVUELB7KAAD2PCMJA/
