[Freeipa-users] ID via Trust

Sumit Bose sbose at redhat.com
Mon Jun 17 15:21:07 UTC 2013 

On Mon, Jun 17, 2013 at 10:16:19AM -0400, Aly Khimji wrote:
> Hey guys,
> So I am getting ready to hopefully roll this out for a demo in our non-prod
> environment prior to going prod is all works. The purpose of this setup is
> to allow for elevated access via AD grouping through a trust. Please see
> below because I get different results on different machines, all on the
> same network.
> 
> Can you please advise what you would need from me to help diagnose this
> issue?

To avoid excessive searches on the AD side the group memberships of a
user are only evaluated with the help of the MS-PAC in the Kerberos
ticket when the user logs into a host (Windows clients do basically the
same). As a result only on hosts where the user already logged in once
id shows all groups the user is member of.

> 
> Thank you so much,
> 
> Aly
> 
> 
> IDM-server:
> -sh-4.1$ id
> uid=59401108(akhimji at corpnonprd.xxxx.com) gid=59401108(
> akhimji at corpnonprd.xxxx.com) groups=59401108(akhimji at corpnonprd.xxxx.com)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> -sh-4.1$ hostname
> didmsvrua01.nix.corpnonprd.xxxx.com

I think processing the PAC failed on this host. The logs of the PAC
responder can be found in /var/log/sssd/sssd_pac.log. How did you log in
to the system, ssh, gdm, console?

> 
> CLIENT 1:
> after login:
> *id: cannot find name for group ID 59401108*
> -sh-4.1$ hostname
> rhidmclient.nix.corpnonprd.xxxx.com
> -sh-4.1$ id
> uid=59401108(akhimji at corpnonprd.xxxx.com) gid=59401108
> groups=59401108,59400512,59400513,59401123,162200012(mirra-supapp-admin-nix-cde)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On this host processing of the PAC was successful, i.e all group
memberships are known, but some group names could not be resolved. Here
/var/log/sssd/sssd_ipa.domain.log has the needed debug output.

bye,
Sumit

> 
> CLIENT 2:(this is the only correct output)
> -sh-4.1$ id
> uid=59401108(akhimji at corpnonprd.xxxx.com) gid=59401108(
> akhimji at corpnonprd.xxxx.com)
> groups=59401108(akhimji at corpnonprd.xxxx.com),59400512(domain
> admins at corpnonprd.xxxx.com),59400513(domain users at corpnonprd.xxxx.com
> ),59401123(mirra-supapp-admin-corp-uat at corpnonprd.xxxx.com),162200012(mirra-supapp-admin-nix-cde)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> -sh-4.1$ hostname
> utkpciu11

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list