Hello, I am switching our SSSD to use the AD provider but have found that the setup has issues with group membership.
The following is my domain configuration: [domain/<DOMAIN>] id_provider = ad auth_provider = ad access_provider = ad ad_access_filter = (memberOf=<FILTER>) ad_hostname = <CLIENT_HOST> ad_domain = <DOMAIN> dns_discovery_domain = <DOMAIN> ldap_id_mapping = false ldap_sasl_mech = GSSAPI ldap_referrals = false dyndns_update = false cache_credentials = true enumerate = false ldap_purge_cache_timeout = 0 This setup works just not completely, user authentication and user/group lookups work. However if I attempt to list full group membership of a user (“id user” or “groups user”), then I am provided with only the primary group. Interestingly if I do the following: clear user from cache, lookup group, lookup user, then the information indicates the primary group and additional group. We utilise an AllowGroups restriction within SSHD which fails, claiming the user isn’t in the group. Any suggests would be welcome. Thanks Mark ------------------------------------------------------------------------ Mark Sangster Server Infrastructure Specialist Information Technology Services | University of Aberdeen t: +44 (0)1224 27-3315 | e: [email protected]<mailto:[email protected]> | u: http://www.abdn.ac.uk/it/ The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
