#4013 Files domain prevents local group membership of a remote user from working
Opened 9 months ago by flip. Modified 4 months ago

I have a fedora 30 machine that i've added to an Active Directory domain.
I log in with my AD user account and this works fine.
However I have added my AD user to the (local) wheel group and this doesn't seem to work properly.

I asked around #fedora and #sssd on freenode and was told to open an issue here.

I'm using mostly the fedora 30 defaults for this setup. I've enabled enumerate, disabled use_fully_qualified_names and enabled ignore_group_members.

getent group wheel displays my AD-user if I have just restarted sssd, however after a while this stops.

Let me know if i need to provide more information.

$ # my AD account doesnt show up
$ getent group wheel
wheel:x:10:otheraccount
$ sudo service sssd restart
[sudo] password for aduseraccount:
Redirecting to /bin/systemctl restart sssd.service
$ getent group wheel
wheel:x:10:otheraccount,aduseraccount
$ getent group wheel
wheel:x:10:localusername
$ id adusername
uid=895005949(adusername) gid=895000513(domainusers) groups=895000513(domainusers),...,10(wheel)
$ getent group -s sss wheel
wheel:x:10:localusername
$ getent group -s files wheel
wheel:x:10:localusername,adusername
$ SSS_NSS_USE_MEMCACHE=NO getent group -s sss wheel
wheel:x:10:localusername

$ sudo service sssd restart
[sudo] password for adusername:
$ getent group -s sss wheel
wheel:x:10:localusername,adusername


$ # i have reduced the output below to the parts that seems relevant
$ tail -f /var/log/sssd/sssd_nss.log
(Wed May 22 08:09:35 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Wed May 22 08:09:35 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Wed May 22 08:09:35 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_send] (0x0400): CR #436: New request 'Enumerate groups'
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #436: Performing a multi-domain search
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #436: Search will bypass the cache and check the data provider
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_validate_domain_enumeration] (0x0400): CR #436: Domain implicit_files does not support enumeration, skipping...
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_validate_domain_enumeration] (0x0400): CR #436: Enumeration requested but not enabled
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_validate_domain_enumeration] (0x0400): CR #436: Domain internal.domain.com supports enumeration
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #436: Using domain [internal.domain.com]
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #436: Looking up Groups enumeration
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #436: Looking up [Groups enumeration] in data provider
(Wed May 22 08:09:35 2019) [sssd[nss]] [sss_dp_get_account_send] (0x0400): Creating request for [internal.domain.com][0x2][BE_REQ_GROUP][*:-]
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #436: Looking up [Groups enumeration] in cache
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #436: Filtering out results by negative cache
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_search_done] (0x0400): CR #436: Returning updated object [Groups enumeration]
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #436: Found 349 entries in domain internal.domain.com
(Wed May 22 08:09:35 2019) [sssd[nss]] [cache_req_done] (0x0400): CR #436: Finished: Success
$ sudo cat /etc/sssd/sssd.conf
[nss]
debug_level=6

[sssd]
domains = internal.domain.com
config_file_version = 2
services = nss, pam

[domain/internal.domain.com]
enumerate = True
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = INTERNAL.DOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = internal.domain.com
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
simple_allow_users = adusername
ignore_group_members = True



$ sudo cat /etc/nsswitch.conf | grep -v "^#"

passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files


sudoers:    files

shadow:     files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
hosts:      files dns myhostname

aliases:    files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus



$ sudo authselect check
Current configuration is valid.
$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir

Hi,

does it work more reliable if you set enable_files_domain = False in the [sssd] section of sssd.conf?

bye,
Sumit

Hi,

This seems to have helped.
I'll check to ensure I haven't made any other changes, but so far it seems okay.

I did have one issue where i couldn't log in to my computer after sleep mode, it just wouldnt accept my password (probably because the VPN/connection to the AD was down, and there were no cache for some reason?) but I'm not sure if it's related to this.

Actually this just happened again. I logged out and was definitely still connected to VPN, but couldn't log back in. I'll see if it's related to this setting or not.

This seems to happen even with enable_files_domain omitted from the config, so i doubt my login issues are related.

I think enable_files_domain solved the issue, but I'll try some more to see if i can break it.

Okay, I think GDM couldn't log me in if i had restarted SSSD or something. Not related to this anyway.

enable_files_domain seems to have solved the issue.
I'm happy, so i'll close this issue unless this is not the intended behaviour of sssd?

enable_files_domain might have worked but it had the unwanted side effect of overriding my local account with a user account with the same name from the active directory, which mean't i could not log in on that account.

I have been using the original work around suggested to me in IRC (edit nssswitch.conf to make sure files override sssd for group) - this has been working for me without issues.

For me, I'm happy with the workaround, so I can can close this issue unless this is to be treated as a bug and you want to keep this open?

Hi,

thanks for the feedback, glad it is working for you now.

@jhrozek, do we want to keep this ticket to track the missing group merging or is there already another ticket for this?

bye,
Sumit

We have a Red Hat Bugzilla, but I don't see any ticket there. We might as well use this one. Although the bug talks about the other way around (local user with LDAP membership), I suspect the root cause would be the same.

Metadata Update from @jhrozek:
- Issue tagged with: bug

8 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1652562

8 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2

8 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

8 months ago
  • master
    • b32347d - ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true

Login to comment on this ticket.

Metadata