On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote: > > this makes SSSD assume that the user is not a member of any group. > > Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for > details) and check if the group memberships are reported more > reliable. > > Afaik the issue with the tokenGroups might indicate that the used AD > DC > has issues reaching a Global Catalog server. >
I've been talking to some people here more familiar with AD than I am. They say that there is a setting in AD that prevents reading of tokenGroups without a permission change. This is a behavior that is a remnant from pre-Windows 2003 AD controllers. My machine needs to be added to a Windows Authorization Activation Group to get the right permissions. I don't fully understand, but it seems as though tokenGroup is a privileged property, and until I have the right permissions, I won't be able to access this property, which is probably why secondary groups are not working. Once I have been put in the new group, I'll let you know if that resolves the issue. -- John Ratliff Research Storage / UITS / Pervasive Technology Institute Indiana University | https://pti.iu.edu
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/Y42ZAZL5M6VNRCHJODVECUY3FS4WG25K/
