resending. Thanks Sanjay Agrawal On Friday, January 8, 2021, 04:57:12 PM EST, Sanjay Agrawal <sanjayagra...@yahoo.com> wrote: We are noticing that with ldap_use_tokengroups=False is not returning same results as with tokengroups. We think, it is due to two issues show below. Can you please confirm if they are a known issues.
Thanks, Issue 1: It is not checking nested membership of gidNumber group, so missing group "group1498" from the list $ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E "primaryGroupID|gidNumber|memberOf" memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com primaryGroupID: 513 gidNumber: 32771 $ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com' '(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf" memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com gidNumber: 32771 testhost4:0# tail -1 /etc/sssd/sssd.conf ldap_use_tokengroups = False testhost4:0# groups user3901 user3901 : group1191 group548 group1414 Issue 2: without tokengroups, It's not considering primaryGroupID as group of the user, so this is missing from group list All tokengroups for this user $ ldapsearch -Q -h ad_server -LLL -b 'CN=user5305,CN=Users,DC=mydomain,DC=com' -s base 'objectclass=*' tokenGroups dn: CN=user5305,CN=Users,DC=mydomain,DC=com tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== All memberof/PrimaryGid and gidNumber for the user ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=user5305)' | egrep "name|gidNumber|memberOf|primary|AccountName" memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com name: user5305 primaryGroupID: 513 sAMAccountName: user5305 gidNumber: 33040 check group with objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== $ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=group1191)' objectSid name dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com name: Domain Users objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== ldap_group: group1191 base64 of this objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== S-1-5-21-79843086-108998794-1039276024-513 - this is the primaryGroupID, which is missing from group list >From box using tokenGroup=False, see group1191 (primaryGroupID) is missing >from the group list testhost4:130# tail -1 /etc/sssd/sssd.conf ldap_use_tokengroups = False testhost4:0# groups user5305 user5305 : group1520 group226 group1375 group768 group136 group1243 group669 group1099 group934 group1110 group869 group588 group721 group863 group945 group715 group1015 group714 group655 group717 group938 group404 Sanjay Agrawal
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org