#3844 Warn loudly if tokenGroups is requested, but not returned
Opened 8 months ago by jhrozek. Modified 8 months ago

We've seen some cases where, due to Active Directory hardening, the tokenGroups attribute is not readable.

This results in no supplementary groups being fetched for a user. At the moment, it is quite hard for an admin to debug this issue unless they know what tokenGroups is and what purpose it servers.

We should either:
- warn loudly (SSSDBG_IMPORTANT_INFO) that tokenGroups came back empty
- perhaps even warn to syslog? But probably only once to avoid flooding syslog on each initgroups request
- we could even fall back to non-tokenGroups LDAP crawling. I don't know myself if this is preferable or not, on one hand this would make SSSD work, on the other hand, failing hard and telling the admin which knob to switch might actually enable them better to fix the issue.

Metadata Update from @jhrozek:
- Issue tagged with: easyfix

8 months ago

We should IMO fail and give hint in error message what needs to be done for SSSD to work in both debug logs and syslog. I do not like falling back to non-tokengroups mode automatically.

I am actually working on something similar right now for a GPO server side configuration issue. I can fix these two things together.

Metadata Update from @mzidek:
- Issue assigned to mzidek

8 months ago

Login to comment on this ticket.