#4154 id does not include AD groups (ldapsearch work), similar to 4151
Closed: cloned-to-github 3 years ago by pbrezina. Opened 4 years ago by kjonca.

I have problem with getting user groups from AD.
My lab configuration:
1. Virtualbox machine with ubuntu18 and sssd.

apt show sssd

Package: sssd
Version: 1.16.1-1ubuntu1.4

  1. Virtualbox with trial Windows Server machine (microsoft allow download iso image and use it to test). It's network interface is boud (as "Bridged adapter") to dummy interface on host machine


I did following steps
1. create and configure AD with powershell and command from "skrypty.ps1" file (also create users and groups)

  1. create group membership with commands from "grupy.ps1" and "grupy_w_grupach.ps1" files

then I try:

id testuser1

uid=393201103(testuser1) gid=393200513 groups=393200513

on the other hand:
ldapsearch -v -H ldap:// -b "CN=Users,dc=dorsz,dc=kjonca" -D $'kjonca@dorsz.kjonca' -w Virtualbox1 '(&(sAMAccountName=testuser1))

returns proper group membership.


1) why do you use
id_provider = ldap
auth_provider = ldap

and not = ad?

2) do you use nested groups in your setup?

Ad.1 - It is not my setup, but taken (and adapted to tests) from our machines running old ubuntu versions. We want to migrate to ubuntu 18/20, but we have problems with groups.
EDIT: AD server is used only to give us user/group membership. Machines are not connected to domain. So (if I understand correctly) I cannot use id_provider/auth_provider = ad?
Ad. 2- yes. We have nested groups.


I created the issue #4151 . So @sbose suggested to add ldap_use_tokengroups = False on sssd.conf. It worked for me.


Changing ldap_use_tokengroups does not help.

Changing ldap_use_tokengroups does not help.


Please add debug_level=9 to the [nss] section as well, restart SSSD, call the id command and attache the SSSD nss and domain log to this ticket, if possible.



it looks like SSSD needs too much time to store all group member of the groups the user is a member of into the cache. Can you try if add ignore_group_members = True helps to speed things up and allows the id command to return all groups the user is a member of?


I can try, but IIRC, we use group members field in tests so it can break our config also.

and "ignore_group_members = True " did not help :(

I forgot to write: I tried to disable enumeration (enumerate=false)
and then I tried to populate cache "manually" (ldapsearch + getent on every entry) but after this
"id testuser1" also returns bad results.
So I think that is something wrong with cache in sssd.

Metadata Update from @thalman:
- Issue tagged with: Future milestone

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5110

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Attachments 6
Attached 4 years ago View Comment
Attached 4 years ago View Comment
Attached 4 years ago View Comment
Attached 4 years ago View Comment
Attached 4 years ago View Comment
Attached 4 years ago View Comment