1003067 – Active directory SSSD/Kerberos/LDAP configuration unable to see all groups for active directory ID

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1003067 - Active directory SSSD/Kerberos/LDAP configuration unable to see all groups for active directory ID

Summary: Active directory SSSD/Kerberos/LDAP configuration unable to see all groups fo...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-30 16:42 UTC by troy@dampierconsulting.net
Modified:	2013-09-18 12:50 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-18 12:50:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	683158	0	unspecified	CLOSED	multiple problems with sssd + ldap (Active-Directory) and groups members.	2021-02-22 00:41:40 UTC

Description troy@dampierconsulting.net 2013-08-30 16:42:20 UTC

Description of problem:

I've setup sssd with rhel6.0 and so far, everything works fine, except groups members are missing. 'id <user>' returns only primary group and 'getent group' returns a bunch of groups, ids but no users. So far, it looks like a bug 683158.

On my rhel6.4/sssd, when I use 'getent group' I see a bunch of groups and their gid. When I compare them with my actual ldap groups, I realize that it does not show all my groups with gidNumber assigned to them in AD only the local groups.

Using the following ldap query I get all AD groups returned.
/usr/bin/ldapsearch -Y GSSAPI -N -b "dc=DCI,dc=local" "(&(objectClass=user)(sAMAccountName=userid"

Not all groups are Posix enabled but the few that are do not show up with ID or Getent.   Only the default unix group as listed unix attributes tab in AD


Version-Release number of selected component (if applicable):
sssd.x86_64   1.9.2-82.7.el6_4

How reproducible:
allways

Steps to Reproduce:
1. start the service
2. wait 2-3 seconds...
3. that's it 

Actual results:
1-groups members in getent,id is wrong. -only shows local groups not AD groups
2-id group membership is wrong.  - only shows default AD unix group no other AD Unix groups


Expected results:
See all AD unix groups


Additional info:
Here is the sssd.conf file

[domain/default]
debug_level=9
enumerate = true
min_id=501
max_id=0


ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = DCI.LOCAL
krb5_server = dc01.dci.local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dsnap01.dci.local

#ldap_uri = ldap://dc01.dci.local
ldap_search_base = dc=dci,dc=local
ldap_schema = rfc2307bis
ldap_user_search_base = dc=dci,dc=local
ldap_default_bind_dn= dc=dci,dc=local


ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number= uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ildap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_disable_referrals = true

krb5_kpasswd = dc01.dci.local
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
config_file_version = 2

Comment 2 Jakub Hrozek 2013-09-02 09:27:15 UTC

Hello Troy,

can you post an example of id output?

It's not entirely clear to me what do you mean by "local" groups -- groups coming from the root AD domain or groups local to the client machine?

Comment 3 Jakub Hrozek 2013-09-04 10:04:47 UTC

Hi Troy,

Any luck getting the info requested in comment #2?

Comment 4 Jakub Hrozek 2013-09-12 11:52:02 UTC

Hi Troy,

I won't be able to analyze the problem without the requested information..

Comment 5 Jakub Hrozek 2013-09-18 12:50:55 UTC

As there was no response for over two weeks now, I'm afraid I need to close this bugzilla as INSUFFICIENT_DATA.

Note You need to log in before you can comment on or make changes to this bug.