resending.
Thanks
Sanjay Agrawal
On Friday, January 8, 2021, 04:57:12 PM EST, Sanjay Agrawal
<sanjayagra...@yahoo.com> wrote:
We are noticing that with ldap_use_tokengroups=False is not returning same
results as with tokengroups. We think, it is due to two issues show below. Can
you please confirm if they are a known issues.
Thanks,
Issue 1: It is not checking nested membership of gidNumber group, so missing
group "group1498" from the list
$ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service
Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E
"primaryGroupID|gidNumber|memberOf"
memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com
primaryGroupID: 513
gidNumber: 32771
$ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com'
'(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf"
memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com
gidNumber: 32771
testhost4:0# tail -1 /etc/sssd/sssd.conf
ldap_use_tokengroups = False
testhost4:0# groups user3901
user3901 : group1191 group548 group1414
Issue 2: without tokengroups, It's not considering primaryGroupID as group of
the user, so this is missing from group list
All tokengroups for this user
$ ldapsearch -Q -h ad_server -LLL -b 'CN=user5305,CN=Users,DC=mydomain,DC=com'
-s base 'objectclass=*' tokenGroups
dn: CN=user5305,CN=Users,DC=mydomain,DC=com
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
All memberof/PrimaryGid and gidNumber for the user
ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=user5305)'
| egrep "name|gidNumber|memberOf|primary|AccountName"
memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com
name: user5305
primaryGroupID: 513
sAMAccountName: user5305
gidNumber: 33040
check group with objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
$ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com'
'(ldap_group=group1191)' objectSid name
dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com
name: Domain Users
objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
ldap_group: group1191
base64 of this objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
S-1-5-21-79843086-108998794-1039276024-513
- this is the primaryGroupID, which is missing from group list
>From box using tokenGroup=False, see group1191 (primaryGroupID) is missing
>from the group list
testhost4:130# tail -1 /etc/sssd/sssd.conf
ldap_use_tokengroups = False
testhost4:0# groups user5305
user5305 : group1520 group226 group1375 group768 group136 group1243 group669
group1099 group934 group1110 group869 group588 group721 group863 group945
group715 group1015 group714 group655 group717 group938 group404
Sanjay Agrawal
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
