Learn more about these different git repos.
Other Git URLs
I have problem with getting user groups from AD. My lab configuration: 1. Virtualbox machine with ubuntu18 and sssd.
Package: sssd Version: 1.16.1-1ubuntu1.4
============
I did following steps 1. create and configure AD with powershell and command from "skrypty.ps1" file (also create users and groups)
then I try:
uid=393201103(testuser1) gid=393200513 groups=393200513
on the other hand: ldapsearch -v -H ldap://192.168.57.10:3268 -b "CN=Users,dc=dorsz,dc=kjonca" -D $'kjonca@dorsz.kjonca' -w Virtualbox1 '(&(sAMAccountName=testuser1))
returns proper group membership.
<img alt="sssd.conf" src="/SSSD/sssd/issue/raw/files/aa297298198da6235bd21016f362f5bc5e9bc34f7faf8e26ccf2fecd3c091078-sssd.conf" /> <img alt="skrypty.ps1" src="/SSSD/sssd/issue/raw/files/8f22cdd84f20028b925f7338ffb3ac4a0bc4e903c0a5815bbf55e19642c8ec18-skrypty.ps1" /> <img alt="grupy.ps1" src="/SSSD/sssd/issue/raw/files/2848fdfcbaed3e8d7508a78e57a0c28e5248bb43c1d10caa40559316193a4f46-grupy.ps1" /> <img alt="grupy_w_grupach.ps1" src="/SSSD/sssd/issue/raw/files/2fb5690141251b492682ceb2b307ac79c79a0742c79f31e8b5d4adc6f51712ea-grupy_w_grupach.ps1" />
Hi,
1) why do you use id_provider = ldap auth_provider = ldap
and not = ad?
= ad
2) do you use nested groups in your setup?
Ad.1 - It is not my setup, but taken (and adapted to tests) from our machines running old ubuntu versions. We want to migrate to ubuntu 18/20, but we have problems with groups. EDIT: AD server is used only to give us user/group membership. Machines are not connected to domain. So (if I understand correctly) I cannot use id_provider/auth_provider = ad? Ad. 2- yes. We have nested groups.
Hello,
I created the issue #4151 . So @sbose suggested to add ldap_use_tokengroups = False on sssd.conf. It worked for me.
Regards,
Changing ldap_use_tokengroups does not help.
Please add debug_level=9 to the [nss] section as well, restart SSSD, call the id command and attache the SSSD nss and domain log to this ticket, if possible.
debug_level=9
[nss]
id
bye, Sumit
Attached.
<img alt="sssd_nss.log.xz" src="/SSSD/sssd/issue/raw/files/735bc836878fb5ec3b7e2145662341d36408ee0e5b9114de64df3173bffeb28a-sssd_nss.log.xz" /> <img alt="sssd_dorsz.kjonca.log.xz" src="/SSSD/sssd/issue/raw/files/52f28f8a4b1e322b05af1c03916bd7a2c23d0d3fd745a4f8bf5bf453d3c2aced-sssd_dorsz.kjonca.log.xz" />
it looks like SSSD needs too much time to store all group member of the groups the user is a member of into the cache. Can you try if add ignore_group_members = True helps to speed things up and allows the id command to return all groups the user is a member of?
ignore_group_members = True
I can try, but IIRC, we use group members field in tests so it can break our config also.
and "ignore_group_members = True " did not help :(
I forgot to write: I tried to disable enumeration (enumerate=false) and then I tried to populate cache "manually" (ldapsearch + getent on every entry) but after this "id testuser1" also returns bad results. So I think that is something wrong with cache in sssd.
Metadata Update from @thalman: - Issue tagged with: Future milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5110
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.