Hi All!

I am running into an issue where groups cannot be resolved upon login. All servers on CentOS 6 work fine, so this is isolated to newer sssd version on CentOS 7.

[user@snoopy ~]$ id
uid=100001012(user) *gid=1001* *groups=1001*,10(wheel),1102

[user@snoopy ~]$ getent -s sss passwd user
user:*:100001012:1001:User Name:/home/user:/bin/bash

However, a quick lookup against the group:

[user@snoopy ~]$ *getent -s sss group security*

Subsequent id lookup works:

[user@snoopy ~]$ id
uid=100001012(user) *gid=1001(security) **groups=1001(security)*,10(wheel),1102

Sudo also complains about the user, even after above command succeeds

[user@snoopy ~]$*sudo su -*
*sudo: unknown uid 100001012: who are you?*

A few seconds later sudo is no longer confused:

[user@snoopy ~]$*sudo su -*
*LDAP OnePassword for **user**:*

SSSD config:

config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh

filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,hdeploy,influxdb,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,osse
filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,hdeploy,influxdb,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprof

debug_level = 0
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password.

debug_level = 0

# debug_level = 0

description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail

All domains have the following options set:

min_id = 499
debug_level = 0
cache_credentials = True
entry_cache_timeout = 864000

auth_provider = ldap
id_provider = ldap
access_provider = ldap
chpass_provider = none
sudo_provider = ldap
selinux_provider = none
autofs_provider = none
hostid_provider = none

ldap_use_tokengroups = false

# https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

lookup_family_order = ipv4_only

# LDAP Search
ldap_search_base = dc=hostopia,dc=com
ldap_group_search_base = ou=groups,o=Hostopia,dc=hostopia,dc=com?subtree?(|(cn=almighties)(cn=security)(cn=systems)(cn=bounce-development)(cn=development-wholesale)(cn=development-retail)(cn=abuse)) ldap_user_search_base = ou=users,o=hostopia,dc=hostopia,dc=com?subtree?(|(description=cn=bounce-development,ou=groups,o=Hostopia,dc=hostopia,dc=com)(description=cn=almighties,ou=groups,o=Hostopia,dc=hostopia

# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307bis

ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

# Ldap Servers
ldap_uri = ldaps://SERVER1, ldaps://SERVER2, ldaps://SERVER3
ldap_backup_uri = ldaps://

ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = ****
ldap_default_authtok = ******

ldap_user_ssh_public_key = sshPublicKey

ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire   = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))

ldap_chpass_update_last_change = false

ldap_access_order = filter, expire
ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=bounce-development,ou=groups,o=Hostopia,dc=hostopia,dc=com)(description=cn=almighties,ou=groups,o=Hosto

ldap_sudo_search_base = ou=sudoers,o=Hostopia,dc=hostopia,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400

#####  END DOMAIN SECTION  #####

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to