Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to see secondary groups in CentOS7 #3957

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

Unable to see secondary groups in CentOS7 #3957

sssd-bot opened this issue May 2, 2020 · 0 comments
Labels
Closed: Not a bug

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2916

  • Created at 2016-01-07 17:00:56 by is24tvollmer
  • Closed as Invalid
  • Assigned to nobody

Hi,

we have a working SSSD config for sssd in SL6, but migrating this to CentOS7, secondary groups are not shown anymore when issuing id <username>

getent group <groupname> works and shows the proper information.

I already went through the steps in "https://fedorahosted.org/sssd/wiki/FAQ#IdontseeanygroupswhenIrunidusername" to no avail.

Can you help me set this up?

/etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.TLD

[pam]

[domain/DOMAIN.TLD]
debug_level = 6
enumerate = true
lookup_family_order = ipv4_only
case_sensitive = false

id_provider = ldap
auth_provider = ldap

ldap_schema = rfc2307bis
ldap_id_mapping = false
ldap_search_base = OU=Nutzer,OU=Konten,DC=domain,DC=tld
ldap_group_search_base = OU=production,OU=groups,DC=domain,DC=tld???CN=Users,DC=domain,DC=tld??
ldap_uri = ldaps://ad1, ldaps://ad2, ldaps://ad3, ldaps://ad4
ldap_network_timeout = 2
ldap_default_bind_dn = binduser
ldap_default_authtok_type = password
ldap_default_authtok = password
ldap_tls_cacert = /etc/pki/public-certs.pem

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_uuid = objectGUID
ldap_user_modify_timestamp = whenChanged
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_uuid = objectGUID
ldap_group_modify_timestamp = whenChanged

ldap_referrals = false
ldap_account_expire_policy = ad
ldap_access_order = expire
ldap_force_upper_case_realm = true

ldapsearch -LLL -o ldif-wrap=no "(uid=testuser)"

SASL/GSSAPI authentication started
SASL username: testuser@domain.local
SASL SSF: 56
SASL data security layer installed.
dn: CN=Test User,OU=ou1,OU=Nutzer,OU=Konten,DC=domain,DC=tld
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test User
sn: User
c: US
l: Some
st: Some
description: Test User Account
postalCode: 0000
physicalDeliveryOfficeName: Some
telephoneNumber: 1234
givenName: Test
distinguishedName: CN=Test User,OU=ou1,OU=Nutzer,OU=Konten,DC=domain,DC=tld
instanceType: 4
whenCreated: 20130617081151.0Z
whenChanged: 20160104102134.0Z
displayName: Test User
uSNCreated: 64910663
memberOf: CN=group1,OU=Nutzer,OU=Konten,DC=domain,DC=tld
memberOf: CN=group2,OU=ouxyz,OU=groups,DC=domain,DC=tld
memberOf: CN=group3,OU=ouxyz,OU=groups,DC=domain,DC=tld
memberOf: [...]
uSNChanged: 197836049
co: Deutschland
department: XXX
company: XXX
proxyAddresses: SMTP:test.user@mydomain.com
extensionAttribute10: usermailbox
mailNickname: TUser
protocolSettings:: XXX
protocolSettings:: XXX
protocolSettings:: XXX
protocolSettings:: XXX
extensionAttribute13: 1
extensionAttribute15: XXX
employeeNumber: 123456789
employeeType: Employee
name: Test User
objectGUID:: XXXX
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 276
employeeID: I01001647
homeDirectory: \\daten\userhome$\TUser
homeDrive: U:
badPasswordTime: 130965599791540626
lastLogoff: 0
lastLogon: 130966479638734465
scriptPath: logon.bat
logonHours:: ////////////////////////////
pwdLastSet: 130893706788459570
primaryGroupID: 513
objectSid:: XXX
accountExpires: 0
logonCount: 9234
sAMAccountName: tuser
sAMAccountType: 805306368
userPrincipalName: tuser@domain.tld
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=tld
dSCorePropagationData: 20141217132036.0Z
dSCorePropagationData: 20140731074623.0Z
dSCorePropagationData: 20131203090120.0Z
dSCorePropagationData: 16010101181633.0Z
lastLogonTimestamp: 130963764944125991
msDS-RevealedDSAs: CN=ADC1,OU=Domain Controllers,DC=domain,DC=tld
msTSExpireDate: 20151205075911.0Z
msTSLicenseVersion: 393216
msTSManagingLS: 00477-001-4510013-84917
uid: tuser
mail: test.user@domain.tld
msExchUserAccountControl: 0
msExchMailboxGuid:: XXX==
msExchPoliciesIncluded: 57975646-5ab5-4867-9803-c7ed9e8b0a5d
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchRecipientDisplayType: -2147483642
msExchWhenMailboxCreated: 20130617081429.0Z
unixHomeDirectory: /data/home/tuser
msExchShadowMailNickname: TUser
msExchRecipientTypeDetails: 2147483648
msExchRemoteRecipientType: 4
msExchTextMessagingState: 302120705
msExchTextMessagingState: 16842751
loginShell: /bin/bash
gidNumber: 32776
msSFU30NisDomain: domain
msSFU30Name: tuser
msExchELCMailboxFlags: 2
msExchMobileMailboxFlags: 1
uidNumber: 41346
msExchUMDtmfMap: reversedPhone:9871
msExchUMDtmfMap: emailAddress:8624278655637
msExchUMDtmfMap: lastNameFirstName:8655637862427
msExchUMDtmfMap: firstNameLastName:8624278655637
msExchVersion: 44220983382016

# refldap://DomainDnsZones.domain.tld/DC=DomainDnsZones,DC=domain,DC=tld

# refldap://ForestDnsZones.domain.tld/DC=ForestDnsZones,DC=domain,DC=tld

# refldap://domain.tld/CN=Configuration,DC=domain,DC=tld

ldapsearch -LLL -o ldif-wrap=no "(cn=group1)"

SASL/GSSAPI authentication started
SASL username: tuser@DOMAIN.TLD
SASL SSF: 56
SASL data security layer installed.
dn: CN=group1,OU=production,OU=groups,OU=,DC=domain,DC=tld
objectClass: top
objectClass: group
cn: group1
member: CN=Test User,OU=ou1,OU=Nutzer,OU=Konten,DC=domain,DC=tld
member: [...]
distinguishedName: CN=group1,OU=production,OU=groups,DC=domain,DC=tld
instanceType: 4
whenCreated: 20140207135608.0Z
whenChanged: 20151123142856.0Z
uSNCreated: 95064658
uSNChanged: 192896571
name: group1
objectGUID:: XXX
objectSid:: XXX
sAMAccountName: group1
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=tld
dSCorePropagationData: 20140731074621.0Z
dSCorePropagationData: 16010101000001.0Z
gidNumber: 30002
msSFU30NisDomain: domain
msSFU30Name: group1

# refldap://DomainDnsZones.domain.tld/DC=DomainDnsZones,DC=domain,DC=tld

# refldap://ForestDnsZones.domain.tld/DC=ForestDnsZones,DC=domain,DC=tld

# refldap://domain.tld/CN=Configuration,DC=domain,DC=tld

Thank you for your help.

Best regards,

Tobias Vollmer

Comments

Comment from is24tvollmer at 2016-01-08 13:08:46

We found a configuration issue.
In our nsswitch.conf we had the "initgroups:" setting. Removing this setting fixed the problem.

See for details:

This ticket can be closed.

priority: minor => trivial

Comment from jhrozek at 2016-01-08 13:47:27

Thank you for reporting back.

resolution: => invalid
status: new => closed

Comment from is24tvollmer at 2017-02-24 15:00:49

Metadata Update from @is24tvollmer:

  • Issue set to the milestone: NEEDS_TRIAGE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Not a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sssd-bot