On Thu, Feb 06, 2020 at 01:40:46PM +0000, Sangster, Mark wrote: > Hello, > > I am switching our SSSD to use the AD provider but have found that the setup > has issues with group membership. > > The following is my domain configuration: > > [domain/<DOMAIN>] > id_provider = ad > auth_provider = ad > access_provider = ad > ad_access_filter = (memberOf=<FILTER>) > ad_hostname = <CLIENT_HOST> > ad_domain = <DOMAIN> > dns_discovery_domain = <DOMAIN> > ldap_id_mapping = false > ldap_sasl_mech = GSSAPI > ldap_referrals = false > dyndns_update = false > cache_credentials = true > enumerate = false > ldap_purge_cache_timeout = 0 > > This setup works just not completely, user authentication and user/group > lookups work. However if I attempt to list full group membership of a user > (“id user” or “groups user”), then I am provided with only the primary group. > Interestingly if I do the following: clear user from cache, lookup group, > lookup user, then the information indicates the primary group and additional > group. > We utilise an AllowGroups restriction within SSHD which fails, claiming the > user isn’t in the group.
Hi, what version of SSSD are you using on which platform? It would be best to have debug logs. For this please add 'debug_level = 9' to the [domain/...] and [nss] section of sssd.conf, restart SSSD and call 'id user' again. You can find more details at https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html. Since you are using 'ldap_id_mapping = false' it might be worth to try to disable the Global Catalog lookups by adding 'ad_enable_gc = false' to the [domain/...] section of sssd.conf. bye, Sumit > > Any suggests would be welcome. > > Thanks > Mark > > ------------------------------------------------------------------------ > Mark Sangster > Server Infrastructure Specialist > > Information Technology Services | University of Aberdeen > t: +44 (0)1224 27-3315 | e: [email protected]<mailto:[email protected]> | u: > http://www.abdn.ac.uk/it/ > > > The University of Aberdeen is a charity registered in Scotland, No SC013683. > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
