We are testing a new SSSD configuration and we're almost there. Our campus Active Directory does not populate the RFC2307 fields (also there are several different Linux enclaves on campus). Authentication is done against campus AD. We have ID mapping pointing at a different LDAP server (OpenLDAP on RHEL 8.7). Our test client is RHEL 8.6. Our current successful setup is show below. We would like to avoid anything that is too obscure or not recommended. We have not found this to be a common configuration (not many examples). It is working for us, however.
. Install realm and sssd . realmjoin to our domain (actually I used adcli to avoid DynamicDNS failures) . Configured [sssd.conf]: [sssd] domains = university.edu config_file_version = 2 services = nss, pam debug_level = 8 [domain/university.edu] ad_domain = university.edu dyndns_update = false krb5_realm = UNIVERSITY.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True auth_provider = ad id_provider = ldap ldap_uri = ldap://ldaptest.university.edu ldap_default_bind_dn = cn=readonly,ou=system,dc=university,dc=edu ldap_default_authtok = read_only_password krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True [nsswitch.conf] passwd: sss files systemd group: sss files systemd (I've tried without "systemd" as well) (We had initial problems configuring TLS, so we will address that next) PROBLEM: SSSD is correctly authenticating and pulling information from LDAP correctly. My UID and group memberships are correct. SSSD knows all of the groups and memberships. The "id" command only shows my default group. The "getent group othergr...@university.edu" command gives an error: error writing group entry: Invalid argument Is there any fix for these? I found an older reference to "sss_showgroup", but that utility doesn't seem to be included in sss-utils anymore. We are running sssd 2.9.4. -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
