> On 14 Sep 2018, at 00:25, Kevin Murakoshi <[email protected]> wrote: > > Hi All, > > I'm relatively new to SSSD, and this has me stumped. I'm trying to override > the default GID for all the users on a OEL 7 system. I set override_gid = 100 > in sssd.conf, but as far as i can tell nothing's happening. Looking into the > sssd cache, I see: > > dn: [email protected],cn=users,cn=ad3.ucdavis.edu,cn=sysdb > createTimestamp: 1536876547 > fullName: riceboy > gecos: riceboy > gidNumber: 846575921 > name: [email protected] > objectCategory: user > uidNumber: 190295 > > When I set auto_private_groups = true, the GID does change: > > dn: [email protected],cn=users,cn=ad3.ucdavis.edu,cn=sysdb > createTimestamp: 1536877117 > fullName: riceboy > gecos: riceboy > gidNumber: 190295 > name: [email protected] > objectCategory: user > uidNumber: 190295
I think this is a bug. Looking at the domain the user comes from and the domain defined in sssd.conf, this user comes from a trusted domain, correct? The domain defined in sssd.conf is ou.ad3.ucdavis.edu, but the domain the user comes from is ad3.ucdavis.edu I could reproduce this in my local test, it seems that the override_gid option is not applied to subdomain users. E.g, using override_gid=55555 I can see the administrator user from the joined domain to have their gid overriden: $ id [email protected] uid=1323800500([email protected]) gid=55555 groups=55555,1323800572(denied rodc password replication [email protected]),1323800520(group policy creator [email protected]),1323800513(domain [email protected]),1323800512(domain [email protected]),1323800519(enterprise [email protected]),1323800518(schema [email protected]) But not the user from a trusted domain: $ id [email protected] uid=52600500([email protected]) gid=52600500([email protected]) groups=52600500([email protected]),52600513 Does override_gid work for you for users from the joined domain at least? > > Another data point (not sure if this is related), when I try and override the > GID on an existing group, the name will change, but the GID will not. > (original GID of "Domain Users" is 846575921) > [root@tcsnd2 ~]# sss_override group-add "Domain [email protected]" -n > NewName -g 1234567 > SSSD needs to be restarted for the changes to take effect. > [root@tcsnd2 ~]# systemctl restart sssd > [root@tcsnd2 ~]# id [email protected] > uid=190295(riceboy) gid=846575921(newname) > groups=846575921(newname),1170(status),1061419070(ism-us-systems),1061419998(iet-us-banner),1061419025(ism-us-status),1061419997(iet-us-edrs),1061419993(iet-us- > > > rbds),1061419045(ism-us-ism),1234567(newname),1061419999(iet-us-ansible),1061419046(ism-us-isun-susers),1061419058(ism-us-netbackup),1061419074(ism-us-zenoss) > > Hmm, this sounds like a bug as well. Does it work with any of the non-primary groups at least? > I'm sure there's something simple I'm missing, any ideas? > > > > > My sssd.conf file > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > debug_level = 2 > > [pam] > reconnection_retries = 3 > debug_level = 2 > > [sssd] > domains = ou.ad3.ucdavis.edu > config_file_version = 2 > services = nss, pam, ifp > debug_level = 2 > > default_domain_suffix = AD3.UCDAVIS.EDU > > [domain/ou.ad3.ucdavis.edu] > ad_domain = ou.ad3.ucdavis.edu > krb5_realm = OU.AD3.UCDAVIS.EDU > krb5_auth_timeout = 30 > debug_level = 4 > override_gid = 100 > > > cache_credentials = True > > id_provider = ad > auth_provider = ad > chpass_provider = ad > access_provider = ad > #ad_access_filter = > (memberOf=CN=IET-US-Unit-PS,OU=US-byOrg,OU=Groups,OU=IET-New,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu) > > use_fully_qualified_names = True > > ;;; Must be false for UNIX UIDs to be retrieved from AD3 > ldap_id_mapping = false > ldap_schema = ad > > krb5_store_password_if_offline = True > > default_shell = /bin/bash > override_homedir = /home/%u > fallback_homedir = /tmp/ > override_shell = /bin/ksh > #auto_private_groups = true > > access_provider = simple > simple_allow_groups = [email protected], > [email protected] > > ignore_group_members = TRUE > ldap_use_tokengroups = True > ldap_group_nesting_level = 0 > ldap_groups_use_matching_rule_in_chain = True > ldap_initgroups_use_matching_rule_in_chain = True > full_name_format = %1$s > dyndns_update = false > ~ > > Kevin Murakoshi > IET Enterprise Student Applications > > [email protected] > > (530) 752-0318 (office) > (530) 219-8188 (cell) > > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
