Hi everyone,
In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL 7.6
SSSD is configured to request on mch.dev domain. trusted subdomain sub.mch.dev
exist (Win2k16)
On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and
'allowed_ssh'. These groups are placed also in mch.dev domain.
On sub.mch.dev, I have user 'user2' only. 'user2' is place in 'G_TEST' and
'allowed_ssh'.
When get id user from mch.dev domain, by `id mch\user1` I get this result :
`uid=83701115(user1) gid=513(sssdgrp)
groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id
sub\user2`, in same group (universal - child trust), I get `uid=69901104(user2)
gid=69901104(user2) groups=69901104(user2)` without group name
getent work fine : `getent group 'g_test'` result :
`g_test:*:83701117:user2,user1,mch`
Why I have not groupname for user2 ?
sssd.conf :
[sssd]
domains = mch.dev
config_file_version = 2
services = nss, pam
default_domain_suffix = mch.dev
full_name_format = %1$s
[nss]
filter_users = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
[pam]
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use
selfservice portal to change your password and logon again.
[domain/MCH.DEV]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
ad_domain = mch.dev
krb5_realm = MCH.DEV
krb5_store_password_if_offline = True
cache_credentials = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
override_gid = 513
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
dyndns_update = false
ldap_idmap_range_min = 100000
ldap_use_tokengroups = False
krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MCH.DEV
[realms]
MCH.DEV = {
}
[domain_realm]
mch.dev = MCH.DEV
.mch.dev = MCH.DEV
Logs available here: https://pastebin.com/Ntt62Cxt
Thanks in advance
@Jakub Hrozek [email protected]<mailto:[email protected]>
With the configuration above, Inverse of your problem : I can't view and use
group for sub domain user, but I can login with SSH like this : 'ssh -l
'sub\user2' 172.31.8.88'
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
