Learn more about these different git repos.
Other Git URLs
SSSD looks up SIDs from AD, even when ldap_schema = 2307bis
ldap_schema = 2307bis
This happens at logon through SSH. It looks up the SIDs of the groups the user belongs to. However, when set to POSIX mode (ldap_schema = 2307bis), these are ofcourse not resolveable and therefore should not be looked up in this manner.
This causes a lot of debug output in the logs ...
(Thu Jan 7 11:45:29 2016) [sssd[be[domain.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Jan 7 11:46:12 2016) [sssd[be[domain.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Thu Jan 7 11:46:12 2016) [sssd[be[domain.com]]] [sdap_ad_resolve_sids_done] (0x0020): Unable to resolve SID S-1-5-21-2733351624-2236147846-3062692083-513 - will try next sid. (Thu Jan 7 11:51:30 2016) [sssd[be[domain.com]]] [sdap_fill_memberships] (0x0080): Member [CN=Domain Admins,CN=Users,DC=domain,DC=com] was not found in cache. Is it out of scope? (Thu Jan 7 11:51:30 2016) [sssd[be[domain.com]]] [sdap_fill_memberships] (0x0080): Member [CN=Domain Admins,CN=Users,DC=domain,DC=com] was not found in cache. Is it out of scope?
sssd.conf file sssd.conf
Why do you use id_provider=ad but then manually override the schema to rfc2307bis? The default is ad.. Setting to posix mode is achieved through ldap_id_mapping = False.
ldap_id_mapping = False
The ad id provider works best with the defaults, I think you can just remove most of the ldap fine-tuning.
I think you can simplify your config to look like this:
[domain/domain.com] debug_level = 3 # AD settings id_provider = ad ad_server = dc01.domain.com, dc02.domain.com realmd_tags = manages-system joined-with-samba cache_credentials = True krb5_store_password_if_offline = True ldap_id_mapping = False use_fully_qualified_names = False # sudo settings sudo_provider = ad # autofs settings # ad autofs_provider not supported yet! # Ad provider is supported in the recent releases, uncomment if running an old version #autofs_provider = ldap #ldap_autofs_search_base=ou=automount,dc=domain,dc=com #ldap_autofs_map_object_class=nisMap #ldap_autofs_entry_object_class=nisObject #ldap_autofs_map_name=nisMapName #ldap_autofs_entry_key=cn #ldap_autofs_entry_value=nisMapEntry #ldap_sasl_mech = GSSAPI #ldap_sasl_authid = hostname$@DOMAIN.COM # shell settings default_shell = /bin/bash allowed_shells = /bin/sh,/bin/bash,/bin/zsh,/bin/fish,/bin/ksh, vetoed_shells = /bin/csh,/bin/tcsh shell_fallback = /bin/bash # homedir settings fallback_homedir = /home/users/%u
If, for whatever reason you need the low-level settings, please also disable tokenGroups:
ldap_use_tokengroups = False
I hope this bug was resolved by the previous comment -- if not, please reopen.
resolution: => worksforme status: new => closed
Metadata Update from @aairey: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3955
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.