[Freeipa-users] Possible bug in SSSD/IPA/AD trust
Troels Hansen
th at casalogic.dk
Thu Aug 11 13:11:10 UTC 2016
Hi, we are curretly workig on a larger IPA test project and I have a problems which have been buggin me for some time now:
On the client we are have set "full_name_format = %1$s" to have users presented without the AD domain part.
However, this seems to make SSSD not lookup a users group membership?
sssd.conf from server:
[domain/linux.dr.dk]
cache_credentials = True
# krb5_store_password_if_offline = True
ipa_domain = linux.dr.dk
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01tst.linux.dr.dk
chpass_provider = ipa
ipa_server = ipa01tst.linux.dr.dk
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
# Bugfix untill RHEL 7.3 arrives
# http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html
ldap_user_principal = nosuchattr
ignore_group_members = True
ldap_purge_cache_timeout = 0
subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout
debug_level=3
# Added to list users faster eg id jly at net.dr.dk
ldap_use_tokengroups = True
ldap_id_mapping = True
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linux.dr.dk
default_domain_suffix = NET.DR.DK
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
sssd.conf from client:
[domain/linux.dr.dk]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.dr.dk
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel01udv.linux.dr.dk
chpass_provider = ipa
ipa_server = ipa01tst.linux.dr.dk
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=5
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linux.dr.dk
default_domain_suffix = NET.DR.DK
# full_name_format = %1$s
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
With " full_name_format " commented out on client I get the full list of groups for a user:
# sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd
# getent passwd drextrha at net.dr.dk
drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
# id drextrha at net.dr.dk
gives full groups list
If I enable the " full_name_format " parameter I get:
Clear cache.
# sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd
#getent passwd drextrha at net.dr.dk
drextrha:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
but:
id drextrha at net.dr.dk
uid=1349938498(drextrha) gid=1349938498(drextrha) groups=1349938498(drextrha),10012(ad_admins)
only gives my primary group and a single IPA group
Everything runnig RHEL 7.2, sssd 1.13.0-40.el7_2.12
Am I doing something wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/0effff4b/attachment.htm>
More information about the Freeipa-users
mailing list