Red Hat Bugzilla – Bug 1003067
Active directory SSSD/Kerberos/LDAP configuration unable to see all groups for active directory ID
Last modified: 2013-09-18 08:50:55 EDT
Description of problem:
I've setup sssd with rhel6.0 and so far, everything works fine, except groups members are missing. 'id <user>' returns only primary group and 'getent group' returns a bunch of groups, ids but no users. So far, it looks like a bug 683158.
On my rhel6.4/sssd, when I use 'getent group' I see a bunch of groups and their gid. When I compare them with my actual ldap groups, I realize that it does not show all my groups with gidNumber assigned to them in AD only the local groups.
Using the following ldap query I get all AD groups returned.
/usr/bin/ldapsearch -Y GSSAPI -N -b "dc=DCI,dc=local" "(&(objectClass=user)(sAMAccountName=userid"
Not all groups are Posix enabled but the few that are do not show up with ID or Getent. Only the default unix group as listed unix attributes tab in AD
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. start the service
2. wait 2-3 seconds...
3. that's it
1-groups members in getent,id is wrong. -only shows local groups not AD groups
2-id group membership is wrong. - only shows default AD unix group no other AD Unix groups
See all AD unix groups
Here is the sssd.conf file
enumerate = true
ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = DCI.LOCAL
krb5_server = dc01.dci.local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dsnap01.dci.local@DCI.LOCAL
#ldap_uri = ldap://dc01.dci.local
ldap_search_base = dc=dci,dc=local
ldap_schema = rfc2307bis
ldap_user_search_base = dc=dci,dc=local
ldap_user_object_class = user
ldap_user_name = uid
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ildap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_disable_referrals = true
krb5_kpasswd = dc01.dci.local
ldap_tls_cacertdir = /etc/openldap/cacerts
config_file_version = 2
can you post an example of id output?
It's not entirely clear to me what do you mean by "local" groups -- groups coming from the root AD domain or groups local to the client machine?
Any luck getting the info requested in comment #2?
I won't be able to analyze the problem without the requested information..
As there was no response for over two weeks now, I'm afraid I need to close this bugzilla as INSUFFICIENT_DATA.