Bug 580402 - when using sssd, id doesn't show secondary groups
when using sssd, id doesn't show secondary groups
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-08 04:04 EDT by Espen Stefansen
Modified: 2010-04-12 03:59 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-12 03:59:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Espen Stefansen 2010-04-08 04:04:36 EDT
Description of problem:
I use sssd to authenticate to my company's network via krb5/ldap. 

Earlier when i used ldap/krb5 conf-files, secondary groups where shown with id. This only worked when I added "nss_map_attribute uniqueMember member" in /etc/ldap.conf.
testuser@testlab09:~$ id
uid=2111(testuser) gid=1180(testgroup) groups=1017(edb),1180(testgroup)

When i changed to sssd, only primary group is shown.
testuser@testlab09:~$ id
uid=2111(testuser) gid=1180(testgroup) groups=1180(testgroup)

Is it possible to get this info using sssd also?

Version-Release number of selected component (if applicable):
sssd-1.1.1-3.fc13.i686
sssd-client-1.1.1-3.fc13.i686

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Gallagher 2010-04-08 08:18:31 EDT
Ok, this has been a bone of contention in the setup for a while.

What's going on here is that your LDAP server is operating in compliance with the RFC2307bis standard, while SSSD assumes by default that it is running with RFC2307.

The short answer is: for your deployment, you want to set the variable
ldap_schema = rfc2307bis

in your [domain/<yourdomain>] section of /etc/sssd/sssd.conf


For a little additional information, the difference between the RFC2307bis standard and the RFC2307 standard is this:
RFC2307 uses the 'memberUid' attribute to store the name of members
RFC2307bis uses the  'member' attribute to store the DN of members (which allows things like nested groups)

I have a bug open upstream ( https://fedorahosted.org/sssd/ticket/438 ) to add some additional comments into the sample sssd.conf file that we install to make this more clear.

If setting this value resolves your issue, please close this bug.
Comment 2 Espen Stefansen 2010-04-12 03:59:38 EDT
Yep, this fixes my bug. :-)

Note You need to log in before you can comment on or make changes to this bug.