#4151 id shows only primary group for some users, but ldapsearch show all groups
Closed: Fixed a year ago by emersonux. Opened a year ago by emersonux.

I have all Linux servers included on AD domain. But we verify in case that user is add to group after user creation on AD, do not show on ID comand.

In our environment we filter access by CORP_SERVER_ADMINS group. We need to solve to manage access.
SSSD version 1.16.2-13

[root@MYDOMAIN-git ~]# id automatiza.linux
uid=1780843783(automatiza.linux) gid=1780800513(usuários do domínio) groups=1780800513(usuários do domínio)

ldapsearch works well

[root@MYDOMAIN-git ~]# ldapsearch -H ldap://scorp-gdc01.MYDOMAIN.local -x -W -D "myname.mylastname@MYDOMAIN.local" -b "dc=MYDOMAIN,dc=local" "(sAMAccountName=automatiza.linux)"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=MYDOMAIN,dc=local> with scope subtree
# filter: (sAMAccountName=automatiza.linux)
# requesting: ALL
#

# Automatiza Linux, SERVICES AND APPLICATIONS, 01_CORPORATIVO, MYDOMAIN.local
dn: CN=Automatiza Linux,OU=SERVICES AND APPLICATIONS,OU=01_CORPORATIVO,DC=MYDOMAIN
 ,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Automatiza Linux
sn: Linux
givenName: Automatiza
distinguishedName: CN=Automatiza Linux,OU=SERVICES AND APPLICATIONS,OU=01_CORP
 ORATIVO,DC=MYDOMAIN,DC=local
instanceType: 4
whenCreated: 20200123142836.0Z
whenChanged: 20200123150530.0Z
displayName: Automatiza Linux
uSNCreated: 146168812
memberOf: CN=CORP_SERVER_ADMINS,OU=SECURITY OBJECTS ADMINS,OU=01_CORPORATIVO,D
 C=MYDOMAIN,DC=local
uSNChanged: 146174679
name: Automatiza Linux
objectGUID:: +ZmFI5EqmUeNAlSWQi4P7g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132248899974981121
lastLogon: 132248900554373459
scriptPath: login_MYDOMAIN.bat
pwdLastSet: 132242633166075318
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAArqPx7jHyH3XIpn0mB6sAAA==
accountExpires: 9223372036854775807
logonCount: 5
sAMAccountName: automatiza.linux
sAMAccountType: 805306368
userPrincipalName: automatiza.linux@MYDOMAIN.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=local
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132242655170421998

# search reference
ref: ldap://ForestDnsZones.MYDOMAIN.local/DC=ForestDnsZones,DC=MYDOMAIN,DC=local

# search reference
ref: ldap://DomainDnsZones.MYDOMAIN.local/DC=DomainDnsZones,DC=MYDOMAIN,DC=local

# search reference
ref: ldap://MYDOMAIN.local/CN=Configuration,DC=MYDOMAIN,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
[root@MYDOMAIN-git ~]# 

sssd.conf

[sssd] 
domains = MYDOMAIN.local 
config_file_version = 2 
services = nss, pam 

[domain/MYDOMAIN.local] 
ad_domain = MYDOMAIN.local 
krb5_realm = MYDOMAIN.local 
realmd_tags = manages-system joined-with-samba 
cache_credentials = False
id_provider = ad
debug_level = 6
auth_provider = ad
chpass_provider = ad
access_provider = ad

krb5_store_password_if_offline = True 
default_shell = /bin/bash 
ldap_id_mapping = True
use_fully_qualified_names = False 
fallback_homedir = /home/%d-%u 
access_provider = ad 
ad_access_filter = (memberOf=cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local)

On my analisys I saw the following log

(Thu Jan 30 14:48:42 2020) [sssd[be[MYDOMAIN.local]]] [sdap_save_user] (0x0400): Original memberOf is not available for [automatiza.linux@MYDOMAIN.local].
(Thu Jan 30 14:48:42 2020) [sssd[be[MYDOMAIN.local]]] [sdap_save_user] (0x0400): Original USN value is not available for [automatiza.linux@MYDOMAIN.local].

I've been try to add various following parameters on sssd.conf, but nothing work

ldap_use_tokengroups = True
ldap_schema = ad
enumerate = False
ldap_search_base = DC=MYDOMAIN,DC=local
ldap_user_search_base = DC=MYDOMAIN,DC=local
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_member_of = memberOf
ldap_group_search_base = DC=MYDOMAIN,DC=local
auth_provider = ad
chpass_provider = ad
access_provider = ad

Regards,
Emerson


Hi,

it would be good to have the full domain log file to better understand what is going on.

Is cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local as security group, i.e. does it has an objectSid attribute?

Does adding ad_enable_gc = False help?

bye,
Sumit

Hi,
it would be good to have the full domain log file to better understand what is going on.
Is cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local as security group, i.e. does it has an objectSid attribute?
Does adding ad_enable_gc = False help?
bye,
Sumit

Hello,

"ad_enable_gc = False" do not work. But thanks.

Log attached!

Regards,

sssd_MYDOMAIN.local.zip

Hi,

it looks like the tokenGroups request does not work properly in your environment. Can you try to call

ldapsearch -H ldap://some_ad_dc.MYDOMAIN.local -b 'CN=Automatiza Linux,OU=SERVICES AND APPLICATIONS,OU=01_CORPORATIVO,DC=MYDOMAIN,DC=local' -s base tokenGroups

and send the result?

Does it work any better if you set ldap_use_tokengroups = False in the [domain/...] section of sssd.conf?

bye,
Sumit

Hi,
it looks like the tokenGroups request does not work properly in your environment. Can you try to call
ldapsearch -H ldap://some_ad_dc.MYDOMAIN.local -b 'CN=Automatiza Linux,OU=SERVICES AND APPLICATIONS,OU=01_CORPORATIVO,DC=MYDOMAIN,DC=local' -s base tokenGroups

and send the result?
Does it work any better if you set ldap_use_tokengroups = False in the [domain/...] section of sssd.conf?
bye,
Sumit

Hello,

Id command works well after add "ldap_use_tokengroups = False". PRETTY GOOD

id automatiza.linux
uid=1780843783(automatiza.linux) gid=1780800513(usuários do domínio) grupos=1780800513(usuários do domínio),1780806119(corp_server_admins)

LDAPSEARCH RESULT
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))

But, in "ad_access_filter" still do not authenticating by that user. So I changed authenticate mode to:
access_provider = simple
simple_allow_groups = corp_server_admins

This works GOOD. But I think "ad_access_filter = (memberOf=cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local)" more secure.

There is some way to fix?

Thanks a lot @sbose ,
Emerson

Hello,
Id command works well after add "ldap_use_tokengroups = False". PRETTY GOOD
id automatiza.linux
uid=1780843783(automatiza.linux) gid=1780800513(usuários do domínio) grupos=1780800513(usuários do domínio),1780806119(corp_server_admins)
LDAPSEARCH RESULT
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))

ah sorry, I forgot you have to call kinit before e.g.

kinit -k 'MYDOMAIN-GIT$@MYDOMAIN.LOCAL'

and then call ldapsearch.

But, in "ad_access_filter" still do not authenticating by that user. So I changed authenticate mode to:

besides calling ldapsearch with tokenGroups can you call

ldapsearch -H ldap://scorp-gdc01.MYDOMAIN.local  -b "dc=MYDOMAIN,dc=local" "(sAMAccountName=automatiza.linux)"

and

ldapsearch -H ldap://scorp-gdc01.MYDOMAIN.local  -b 'CN=Automatiza Linux,OU=SERVICES AND APPLICATIONS,OU=01_CORPORATIVO,DC=MYDOMAIN,DC=local' '(&(sAMAccountName=automatiza.linux)(objectclass=user)(memberOf=cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local))'

as well?

bye,
Sumit

access_provider = simple
simple_allow_groups = corp_server_admins
This works GOOD. But I think "ad_access_filter = (memberOf=cn=CORP_SERVER_ADMINS,ou=SECURITY OBJECTS ADMINS,ou=01_CORPORATIVO,dc=MYDOMAIN,dc=local)" more secure.
There is some way to fix?
Thanks a lot @sbose ,
Emerson

Hi @sbose,

After executing kinit the first ldapsearch works ok, but the second returns a empty result.

I did various tests with access_provider = simple and all results were satisfactory. Disabling user on domain controller, altering password and everything reflects on machine logon.

So I'll keep access_provider = simple and simple_allow_groups. Cause everything is working good.

Thanks a lot.
After more some tests I'll close this issue.

Best regards!

Metadata Update from @emersonux:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5109

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
Attachments 1