Sanjay, We had the opposite problem. with ldap_use_tokengroups = True, we were getting incorrect group memberships. It's been a couple of years, but I seem to recall it was either universal group membership, or else memberships in non-local AD domains that weren't being show. (global groups).
Spike On Tue, Jan 12, 2021 at 4:13 AM Sumit Bose <[email protected]> wrote: > On Fri, Jan 08, 2021 at 09:57:12PM +0000, Sanjay Agrawal wrote: > > We are noticing that with ldap_use_tokengroups=False is not returning > same results as with tokengroups. We think, it is due to two issues show > below. Can you please confirm if they are a known issues. > > > > Thanks, > > > > Issue 1: It is not checking nested membership of gidNumber group, so > missing group "group1498" from the list > > $ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service > Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E > "primaryGroupID|gidNumber|memberOf" > > memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com > > primaryGroupID: 513 > > gidNumber: 32771 > >  > > $ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com' > '(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf" > > memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com > > gidNumber: 32771 > >  > > testhost4:0# tail -1 /etc/sssd/sssd.conf > > ldap_use_tokengroups = False > > Hi, > > can you send your full sssd.conf so that I can better understand which > provider, schema etc are used? > > bye, > Sumit > > >  > > testhost4:0# groups  user3901 > > user3901 : group1191 group548 group1414 > > > > > > > > Issue 2: without tokengroups, It's not considering primaryGroupID as > group of the user, so this is missing from group list > > All tokengroups for this user > > > > $ ldapsearch -Q -h ad_server -LLL -b > 'CN=user5305,CN=Users,DC=mydomain,DC=com' -s base 'objectclass=*' > tokenGroups > > dn: CN=user5305,CN=Users,DC=mydomain,DC=com > > tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA== > > tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== > > > > All memberof/PrimaryGid and gidNumber for the user > > ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' > '(ldap_group=user5305)' | egrep > "name|gidNumber|memberOf|primary|AccountName" > > memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com > > memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com > > name: user5305 > > primaryGroupID: 513 > > sAMAccountName: user5305 > > gidNumber: 33040 > > > > check group with objectSid  AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== > > $ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' > '(ldap_group=group1191)' objectSid name > > dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com > > name: Domain Users > > objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== > > ldap_group: group1191 > > > > base64 of this objectSid  AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== > >   S-1-5-21-79843086-108998794-1039276024-513 > >   - this is the primaryGroupID, which is missing from group list > > > > > > From box using tokenGroup=False, see group1191 (primaryGroupID) is > missing from the group list > > testhost4:130# tail -1 /etc/sssd/sssd.conf > > ldap_use_tokengroups = False > > testhost4:0# groups user5305 > > user5305 : group1520 group226 group1375 group768 group136 group1243 > group669 group1099 group934 group1110 group869 group588 group721 group863 > group945 group715 group1015 group714 group655 group717 group938 group404 > > > > Sanjay Agrawal > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
