Am Mon, May 01, 2023 at 11:16:00AM -0000 schrieb David Serrano Amarelle: > > First, I would like to appreciate all the help you could provide me. I have > an issue with sssd and nss that I don't still understand quite well... > > The point is that I have configured some servers with 2 active domains. The > first domain is a freeipa managed environment and the second one is an AD > domain. > > But I recently noticed that if I try to obtain the uids and gids for several > users, the groupnames have the right gid, but groupnames are wrong. I mean, > what I detected is even all gids an uids retrieved by the id command are > right, the names of the groups shown, sometimes are from the other domain. I > think it always retrieve the name of the group of the first domain > (domain1.com) if the gid exists there, but if don't, it will look for it in > the sencond domain (addomain2.com). > It seems this is a problem with the NSS, not exactly with the SSSD, event > they are very linked. So, please, If this is not the better place to ask for > this, I will appreciate help to look for help in another forum. > > > For instance: > > [root@lab6 ~]# id user1 > uid=105806(user1) gid=106520(group1) > groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6) > > where: > * user1 is an user from the AD domain (addomain2.com) > * gis are perfectly obtained > * group1, group2 and group3 are from the AD domain (addomain2.com) > * group5 and group6 are groups OR USERS form the FREEIPA domain (domain1.com) > > I could understand that it is normal that it happens if I use the sortname > way "id user1", but I think that not should happen with the long-user way: > "ia [email protected]". I mean, this also happens if I do: > > [root@lab6 ~]# id [email protected] > uid=105806(user1) gid=106520(group1) > groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
Hi, if I understand it correctly there are groups in AD with GIDs 102242 and 100327 and there are objects (users or groups) in IPA with are using the same number as UID/GID. This setup, collisions of GIDs, is not recommended and will cause the issue you see. The reason is that the commands which return the groups the user is a member of always only return the GIDs of the groups and since the GIDs have no domain components the first group found with the GID will be returned (since IPA uses autogenerated user private groups it looks like IPA users are returned as well). HTH bye, Sumit > > > This is my sssd.conf: > > [root@lab6 ~]# cat /etc/sssd/sssd.conf > [domain/domain1.com] > id_provider = ipa > ipa_server = _srv_, freeipa01.domain1.com > ipa_domain = domain1.com > ipa_hostname = lab6.domain1.com > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > > [domain/addomain2.com] > ad_domain = addomain2.com > krb5_realm = addomain2.com > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > use_fully_qualified_names = False > fallback_homedir = /home/%u@%d > access_provider = ad > krb5_keytab = /etc/krb5.keytab.ad > ldap_krb5_keytab = /etc/krb5.keytab.ad > ldap_id_mapping = false > ad_enabled_domains = addomain2.com > ad_gpo_access_control = disabled > dyndns_update = false > dns_resolver_timeout = 10 > dns_resolver_op_timeout = 10 > krb5_auth_timeout = 30 > timeout = 30 > > [sssd] > services = nss, pam, ssh, sudo > domains = domain1.com,addomain2.com > > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [session_recording] > > [root@lab6 ~]# realm list > domain1.com > type: kerberos > realm-name: domain1.com > domain-name: domain1.com > configured: kerberos-member > server-software: ipa > client-software: sssd > required-package: ipa-client > required-package: oddjob > required-package: oddjob-mkhomedir > required-package: sssd > login-formats: %U > login-policy: allow-realm-logins > addomain2.com > type: kerberos > realm-name: addomain2.com > domain-name: addomain2.com > configured: kerberos-member > server-software: active-directory > client-software: sssd > required-package: oddjob > required-package: oddjob-mkhomedir > required-package: sssd > required-package: adcli > required-package: samba-common-tools > login-formats: %U > login-policy: allow-realm-logins > > Does I have any sense for you? Did I miss something in my configuration? > Is there any way to tell NSS what domain should use in SSSD configuration? > > Thanks a lot for your help. > > Regards, > david > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
