#3844 Warn loudly if tokenGroups is requested, but not returned
Closed: cloned-to-github 6 months ago by pbrezina. Opened 2 years ago by jhrozek.

We've seen some cases where, due to Active Directory hardening, the tokenGroups attribute is not readable.

This results in no supplementary groups being fetched for a user. At the moment, it is quite hard for an admin to debug this issue unless they know what tokenGroups is and what purpose it servers.

We should either:
- warn loudly (SSSDBG_IMPORTANT_INFO) that tokenGroups came back empty
- perhaps even warn to syslog? But probably only once to avoid flooding syslog on each initgroups request
- we could even fall back to non-tokenGroups LDAP crawling. I don't know myself if this is preferable or not, on one hand this would make SSSD work, on the other hand, failing hard and telling the admin which knob to switch might actually enable them better to fix the issue.

Metadata Update from @jhrozek:
- Issue tagged with: easyfix

2 years ago

We should IMO fail and give hint in error message what needs to be done for SSSD to work in both debug logs and syslog. I do not like falling back to non-tokengroups mode automatically.

I am actually working on something similar right now for a GPO server side configuration issue. I can fix these two things together.

Metadata Update from @mzidek:
- Issue assigned to mzidek

2 years ago

Metadata Update from @pbrezina:
- Issue tagged with: Future milestone

8 months ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4838

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

6 months ago

Login to comment on this ticket.