Bug 1003067

Summary: Active directory SSSD/Kerberos/LDAP configuration unable to see all groups for active directory ID
Product: Red Hat Enterprise Linux 6 Reporter: troy <troy>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.4CC: grajaiya, jgalipea, lslebodn, okos, pbrezina, troy
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-18 12:50:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description troy@dampierconsulting.net 2013-08-30 16:42:20 UTC 
Description of problem:

I've setup sssd with rhel6.0 and so far, everything works fine, except groups members are missing. 'id <user>' returns only primary group and 'getent group' returns a bunch of groups, ids but no users. So far, it looks like a bug 683158.

On my rhel6.4/sssd, when I use 'getent group' I see a bunch of groups and their gid. When I compare them with my actual ldap groups, I realize that it does not show all my groups with gidNumber assigned to them in AD only the local groups.

Using the following ldap query I get all AD groups returned.
/usr/bin/ldapsearch -Y GSSAPI -N -b "dc=DCI,dc=local" "(&(objectClass=user)(sAMAccountName=userid"

Not all groups are Posix enabled but the few that are do not show up with ID or Getent.   Only the default unix group as listed unix attributes tab in AD


Version-Release number of selected component (if applicable):
sssd.x86_64   1.9.2-82.7.el6_4

How reproducible:
allways

Steps to Reproduce:
1. start the service
2. wait 2-3 seconds...
3. that's it 

Actual results:
1-groups members in getent,id is wrong. -only shows local groups not AD groups
2-id group membership is wrong.  - only shows default AD unix group no other AD Unix groups


Expected results:
See all AD unix groups


Additional info:
Here is the sssd.conf file

[domain/default]
debug_level=9
enumerate = true
min_id=501
max_id=0


ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = DCI.LOCAL
krb5_server = dc01.dci.local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dsnap01.dci.local

#ldap_uri = ldap://dc01.dci.local
ldap_search_base = dc=dci,dc=local
ldap_schema = rfc2307bis
ldap_user_search_base = dc=dci,dc=local
ldap_default_bind_dn= dc=dci,dc=local


ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number= uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ildap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_disable_referrals = true

krb5_kpasswd = dc01.dci.local
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
config_file_version = 2
Comment 2 Jakub Hrozek 2013-09-02 09:27:15 UTC 
Hello Troy,

can you post an example of id output?

It's not entirely clear to me what do you mean by "local" groups -- groups coming from the root AD domain or groups local to the client machine?
Comment 3 Jakub Hrozek 2013-09-04 10:04:47 UTC 
Hi Troy,

Any luck getting the info requested in comment #2?
Comment 4 Jakub Hrozek 2013-09-12 11:52:02 UTC 
Hi Troy,

I won't be able to analyze the problem without the requested information..
Comment 5 Jakub Hrozek 2013-09-18 12:50:55 UTC 
As there was no response for over two weeks now, I'm afraid I need to close this bugzilla as INSUFFICIENT_DATA.