Bug 1003067 - Active directory SSSD/Kerberos/LDAP configuration unable to see all groups for active directory ID
Active directory SSSD/Kerberos/LDAP configuration unable to see all groups fo...
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-30 12:42 EDT by troy@dampierconsulting.net
Modified: 2013-09-18 08:50 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-18 08:50:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 683158 None None None Never

  None (edit)
Description troy@dampierconsulting.net 2013-08-30 12:42:20 EDT
Description of problem:

I've setup sssd with rhel6.0 and so far, everything works fine, except groups members are missing. 'id <user>' returns only primary group and 'getent group' returns a bunch of groups, ids but no users. So far, it looks like a bug 683158.

On my rhel6.4/sssd, when I use 'getent group' I see a bunch of groups and their gid. When I compare them with my actual ldap groups, I realize that it does not show all my groups with gidNumber assigned to them in AD only the local groups.

Using the following ldap query I get all AD groups returned.
/usr/bin/ldapsearch -Y GSSAPI -N -b "dc=DCI,dc=local" "(&(objectClass=user)(sAMAccountName=userid"

Not all groups are Posix enabled but the few that are do not show up with ID or Getent.   Only the default unix group as listed unix attributes tab in AD


Version-Release number of selected component (if applicable):
sssd.x86_64   1.9.2-82.7.el6_4

How reproducible:
allways

Steps to Reproduce:
1. start the service
2. wait 2-3 seconds...
3. that's it 

Actual results:
1-groups members in getent,id is wrong. -only shows local groups not AD groups
2-id group membership is wrong.  - only shows default AD unix group no other AD Unix groups


Expected results:
See all AD unix groups


Additional info:
Here is the sssd.conf file

[domain/default]
debug_level=9
enumerate = true
min_id=501
max_id=0


ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = DCI.LOCAL
krb5_server = dc01.dci.local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dsnap01.dci.local@DCI.LOCAL

#ldap_uri = ldap://dc01.dci.local
ldap_search_base = dc=dci,dc=local
ldap_schema = rfc2307bis
ldap_user_search_base = dc=dci,dc=local
ldap_default_bind_dn= dc=dci,dc=local


ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number= uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ildap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_disable_referrals = true

krb5_kpasswd = dc01.dci.local
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
config_file_version = 2
Comment 2 Jakub Hrozek 2013-09-02 05:27:15 EDT
Hello Troy,

can you post an example of id output?

It's not entirely clear to me what do you mean by "local" groups -- groups coming from the root AD domain or groups local to the client machine?
Comment 3 Jakub Hrozek 2013-09-04 06:04:47 EDT
Hi Troy,

Any luck getting the info requested in comment #2?
Comment 4 Jakub Hrozek 2013-09-12 07:52:02 EDT
Hi Troy,

I won't be able to analyze the problem without the requested information..
Comment 5 Jakub Hrozek 2013-09-18 08:50:55 EDT
As there was no response for over two weeks now, I'm afraid I need to close this bugzilla as INSUFFICIENT_DATA.

Note You need to log in before you can comment on or make changes to this bug.