[Freeipa-users] Possible bug in SSSD/IPA/AD trust

Troels Hansen th at casalogic.dk
Thu Aug 11 13:11:10 UTC 2016 

Hi, we are curretly workig on a larger IPA test project and I have a problems which have been buggin me for some time now: 


On the client we are have set "full_name_format = %1$s" to have users presented without the AD domain part. 
However, this seems to make SSSD not lookup a users group membership? 

sssd.conf from server: 

[domain/linux.dr.dk] 

cache_credentials = True 
# krb5_store_password_if_offline = True 
ipa_domain = linux.dr.dk 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = ipa01tst.linux.dr.dk 
chpass_provider = ipa 
ipa_server = ipa01tst.linux.dr.dk 
ipa_server_mode = True 
ldap_tls_cacert = /etc/ipa/ca.crt 

# Bugfix untill RHEL 7.3 arrives 
# http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html 
ldap_user_principal = nosuchattr 

ignore_group_members = True 
ldap_purge_cache_timeout = 0 
subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout 

debug_level=3 

# Added to list users faster eg id jly at net.dr.dk 
ldap_use_tokengroups = True 
ldap_id_mapping = True 

[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = linux.dr.dk 
default_domain_suffix = NET.DR.DK 

[nss] 
memcache_timeout = 600 
homedir_substring = /home 

[pam] 
[sudo] 
[autofs] 
[ssh] 
[pac] 
[ifp] 



sssd.conf from client: 

[domain/linux.dr.dk] 

cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = linux.dr.dk 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = rhel01udv.linux.dr.dk 
chpass_provider = ipa 
ipa_server = ipa01tst.linux.dr.dk 
ldap_tls_cacert = /etc/ipa/ca.crt 

debug_level=5 

[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = linux.dr.dk 
default_domain_suffix = NET.DR.DK 
# full_name_format = %1$s 

[nss] 
homedir_substring = /home 

[pam] 
[sudo] 
[autofs] 
[ssh] 
[pac] 
[ifp] 


With " full_name_format " commented out on client I get the full list of groups for a user: 

# sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd 
# getent passwd drextrha at net.dr.dk 
drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: 

# id drextrha at net.dr.dk 
gives full groups list 


If I enable the " full_name_format " parameter I get: 

Clear cache. 
# sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd 

#getent passwd drextrha at net.dr.dk 
drextrha:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: 

but: 
id drextrha at net.dr.dk 
uid=1349938498(drextrha) gid=1349938498(drextrha) groups=1349938498(drextrha),10012(ad_admins) 

only gives my primary group and a single IPA group 

Everything runnig RHEL 7.2, sssd 1.13.0-40.el7_2.12 

Am I doing something wrong? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/0effff4b/attachment.htm>

More information about the Freeipa-users mailing list