Learn more about these different git repos.
Other Git URLs
service sssd stop rm cache_domain* service sssd start getent passwd bkevan bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash getent group "Linux Users" Linux Users:*:1100:bkevan id -a bkevan uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),0(root),0(root),0(root) However, if I change the order of how I do things: (stop sssd, clear cache, start sssd) getent passwd bkevan bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash getent group "Linux Users" Linux Users:*:1100:bkevan getent group "SV.NorCal Linux Admins" SV.NorCal Linux Admins:*:1101:bkevan id -a bkevan uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),1101(SV.NorCal Linux Admins),1030644524,1818321519
attachment sssd_global.log.id_after_groupinit_call
attachment sssd_global.log.id_before_groupinit_call
I should note this is my current sssd.conf:
grep -Ev '^#|^$|\;' /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = global [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/global] description = LDAP domain with AD server ldap_uri = ldaps://server.domain.com ldap_search_base = dc=domain,dc=com ldap_schema = rfc2307bis enumerate = False ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_reqcert = demand id_provider = ldap chpass_provider = ldap auth_provider = ldap min_id = 1000 ldap_default_bind_dn = ldapbinddn@domain.com ldap_default_authtok_type = password ldap_default_authtok = <password> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_force_upper_case_realm = True
_comment0: I should note this is my current sssd.conf: grep -Ev '^#|^$|\;' /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = global [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/global] description = LDAP domain with AD server ldap_uri = ldaps://server.domain.com ldap_search_base = dc=domain,dc=com ldap_schema = rfc2307bis enumerate = False ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_reqcert = demand id_provider = ldap chpass_provider = ldap auth_provider = ldap min_id = 1000 ldap_default_bind_dn = ldapbinddn@domain.com ldap_default_authtok_type = password ldap_default_authtok = <password> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_force_upper_case_realm = True => 1333644904353327
Fields changed
description: service sssd stop rm cache_domain* service sssd start
getent passwd bkevan bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash
getent group "Linux Users" Linux Users:*:1100:bkevan
id -a bkevan uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),0(root),0(root),0(root)
However, if I change the order of how I do things: (stop sssd, clear cache, start sssd) getent passwd bkevan bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash
getent group "SV.NorCal Linux Admins" SV.NorCal Linux Admins:*:1101:bkevan
id -a bkevan uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),1101(SV.NorCal Linux Admins),1030644524,1818321519
=> {{{ service sssd stop rm cache_domain* service sssd start
}}}
Would it be possible for you to try this with SSSD 1.8.1? We've made a lot of changes to the initgroups support in 1.6, 1.7 and 1.8 and I strongly suspect that this issue no longer exists in the current code.
I can't tell from the logs what specifically is misbehaving here, unfortunately. The only noteworthy piece is this:
(Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(gidNumber=6737776)(objectclass=group)(cn=*)(gidNumber=*))][dc=domain,dc=com]. (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [uSNChanged] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_done] (7): Total count [0] (Thu Apr 5 08:34:32 2012) [sssd[be[global]]] [sdap_get_groups_process] (6): Search for groups, returned 0 results.
That's coming back to us directly from LDAP. The LDAP server is saying that a search with the filter:
(&(gidNumber=6737776)(objectclass=group)(cn=*)(gidNumber=*))
does not find a group with that ID in the base
dc=domain,dc=com
This is fixed in the current upstream releases. Upstream currently has no plans to attempt to backport these fixes, as we largely rewrote the underlying code since 1.5.x. Please recommend that your distribution upgrades to the latest LTM release (1.8.2 at the time of this writing).
resolution: => fixed status: new => closed
rhbz: => 0
Metadata Update from @benkevan: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2334
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.