On Tue, Feb 05, 2019 at 08:52:27AM +0000, Martial CHAVIGNY wrote: > Hi everyone, > > In dev environnement, with SSSD 1.16.2 (release 13.el7_6.5) on RHEL 7.6 > > SSSD is configured to request on mch.dev domain. trusted subdomain > sub.mch.dev exist (Win2k16) > > On mch.dev, I have an user 'user1' in Universal groups 'G_TEST' and > 'allowed_ssh'. These groups are placed also in mch.dev domain. > On sub.mch.dev, I have user 'user2' only. 'user2' is place in 'G_TEST' and > 'allowed_ssh'. > > When get id user from mch.dev domain, by `id mch\user1` I get this result : > `uid=83701115(user1) gid=513(sssdgrp) > groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)`, but `id > sub\user2`, in same group (universal - child trust), I get > `uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)` without > group name > > getent work fine : `getent group 'g_test'` result : > `g_test:*:83701117:user2,user1,mch` > > Why I have not groupname for user2 ?
This looks like an error: (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_search_object_attr] (0x0400): No such entry. (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sysdb_get_real_name] (0x0040): Cannot find user [[email protected]] in cache (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x0040): Cannot canonicalize username (Mon Feb 4 23:03:11 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_done] (0x4000): releasing operation connection I don't know why is sysdb_get_real_name() looking for the entry in the mch.dev domain and not the subdomain. Can you remove the full_name_format option from the [sssd] section instead, if you need to use short names, set use_fully_qualified_names=false. Since recent versions you can set this option also for subdomains, but I would suggest to first test with a very vanilla configuration. btw was there a reason to unset tokengroups? > > sssd.conf : > > [sssd] > domains = mch.dev > config_file_version = 2 > services = nss, pam > default_domain_suffix = mch.dev > full_name_format = %1$s > > [nss] > filter_users = root > reconnection_retries = 3 > entry_cache_nowait_percentage = 75 > > [pam] > pam_pwd_expiration_warning = 21 > pam_account_expired_message = Account/password expired, please use > selfservice portal to change your password and logon again. > > [domain/MCH.DEV] > debug_level = 9 > id_provider = ad > access_provider = ad > auth_provider = ad > ad_domain = mch.dev > krb5_realm = MCH.DEV > krb5_store_password_if_offline = True > cache_credentials = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = True > override_gid = 513 > fallback_homedir = /home/%u@%d > default_shell = /bin/bash > dyndns_update = false > ldap_idmap_range_min = 100000 > ldap_use_tokengroups = False > > krb5.conf > includedir /etc/krb5.conf.d/ > > includedir /var/lib/sss/pubconf/krb5.include.d/ > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_ccache_name = KEYRING:persistent:%{uid} > default_realm = MCH.DEV > > [realms] > MCH.DEV = { > } > > [domain_realm] > mch.dev = MCH.DEV > .mch.dev = MCH.DEV > > Logs available here: https://pastebin.com/Ntt62Cxt > > Thanks in advance > > @Jakub Hrozek [email protected]<mailto:[email protected]> > With the configuration above, Inverse of your problem : I can't view and use > group for sub domain user, but I can login with SSH like this : 'ssh -l > 'sub\user2' 172.31.8.88' _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
