Closed sssd-bot closed 4 years ago
Hi-
Apologies, but this does not appear to be fixed.
Name : sssd
Arch : x86_64
Version : 1.16.5
Release : 10.el7_9.13
on Centos 7.9 (3.10.0-1160.59.1.el7.x86_64). auth against AD server.
setting full_name_format = %1$s seems to be truncating all supplemental groups just as OP noted years ago. for me, it occurs only with users from domains other than primary domain.
Unlike OP, I am not setting default_domain_suffix and I have set use_fully_qualified_names = False Only one domain (primary) set up in sssd.conf
with full_name_format = %1$s in sssd.conf, command id username>@<domain specifying domains other than primary domain outputs only uid= gid= groups= with single entry for each. with default full_name_format, full supplemental group list is present.
Please advise.
Yours, Larry Root
Hi,
are you using FreeIPA as well or is your client directly joinend into an AD domain? Have you tried if it makes a difference if you only use full_name_format = %1$s
and not set use_fully_qualified_names = False
? Can you share your full (sanitized) sssd.conf?
In general it would be better to open a new ticket and add a reference to an older ticket if needed.
bye, Sumit
Hi-
No FreeIPA- client is directly joined.
Using full_name_format = %1$s and setting use_fully_qualified_names = True
causes both primary and secondary domain users to return
uid= gid= groups=
with single entry for each. with default full_name_format, full supplemental group list is present from all trusted domains, not just the primary domain.
Using full_name_format = %1$s and setting use_fully_qualified_names = False causes only the secondary domain users to return uid= gid= groups= with single entry for each. primary domain users still show full supplemental group listing from all trusted domains. with default full_name_format, full supplemental group list from all trusted domains is present for all users.
I will redact and post sssd.conf. It's a single-domain setup. Other domains are in same forest/trusted. Should I be realm-joining all domains separately on a single client host? I've only realm-joined the primary domain set out in sssd.conf. It was my understanding that joining all domains separately on a single client host was only needed for domains in different forests.
Yours, Larry Root
I will redact and post sssd.conf. It's a single-domain setup. Other domains are in same forest/trusted. Should I be realm-joining all domains separately on a single client host? I've only realm-joined the primary domain set out in sssd.conf. It was my understanding that joining all domains separately on a single client host was only needed for domains in different forests.
Hi,
just joining one domain is sufficient if there are a two-way trusts between the domains in the forest.
bye, Sumit
Hi-
Here's my sssd.conf
[sssd] domains = dom1.ad.example.com config_file_version = 2 services = nss, pam full_name_format = %1$s
[domain/dom1.ad.example.com] ad_server = server1.dom1.ad.example.com,server2.dom1.ad.example.com,server3.dom1.ad.example.com,server4.dom1.ad.example.com,server5.dom1.ad.example.com ad_enabled_domains = dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com krb5_realm = DOM1.AD.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/tcsh ldap_id_mapping = True use_fully_qualified_names = False override_homedir = /home/users/%u access_provider = ad
As I noted above: When I set full_name_format = %1$s and use_fully_qualified_names = False Supplemental groups fail to resolve (id command) for users in dom2.ad.example.com,dom3.ad.example.com
When I set full_name_format = %1$s and use_fully_qualified_names = True Supplemental groups fail to resolve (id command) for users in all three domains (dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com)
Not sure, but it seems like full_name_format = %1$s is still broken in a similar manner. Please let me know what you think. Thanks again! Yours, Larry Root
Hi,
thanks for sending your sssd.conf
. Please use use_fully_qualified_names = False
and try to add
domain_resolution_order = dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com
to the [sssd]
section of sssd.conf
, restart SSSD and check if secondary groups are now resolved.
HTH
bye, Sumit
Hi-
Excellent- it works- thank you very much! Any caveats? Also- why was that parameter domain_resolution_order = required here to resolve secondary groups when parameter full_name_format = %1$s is set ?
Thanks again!
Yours, Larry Root
Hi-
Excellent- it works- thank you very much! Any caveats?
Hi,
no, using domain_resolution_order
is basically expected in this use case because ...
Also- why was that parameter domain_resolution_order = required here to resolve secondary groups when parameter full_name_format = %1$s is set ?
when using short names, especially with AD, there are many duplicated user and group name, e.g. Administrator
, Domain Users
etc. To add at least a bit of determinism to domain_resolution_order
parameter was added. Please note that you might see still unexpected output when mixing lookups with fully-qualified names (which of course by-pass the list from domain_resolution_order
) and short names. To cut it short, I would recommend to output fully-qualified names in such an environment, but I understand that this might not always be possible.
HTH
bye, Sumit
Thanks again!
Yours, Larry Root
Hi-
Thank you so much! I had tried -almost- everything. I need to reconsider outputting fully-qualified names for both domains. Thanks again!
Yours, Larry Root
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2838
Running IPA (4.1.0-18.sl7_1.4) with an AD trust. IPA domain is nwra.com, AD domain is ad.nwra.com. All users are in AD. Trying to use:
on the clients to strip the domain from user names so that users do not have to concern themselves with domain info. This appears to break supplemental groups. With just default_domain_suffix I have:
But with full_name_format = %1$s I get:
With it:
Looks like in the latter the groups members still have @ad.nwra.com so orion@ad.nwra.com gets added as a ghost member rather than a proper one?
Comments
Comment from orion at 2015-10-15 00:56:06
That seems to be the right track, as "getent group nwra-users" returns an entry with the @ad.nwra.com suffix on all of the members. Presumably that should get stripped as well.
Comment from jhrozek at 2015-10-16 11:32:23
Thank you, I can reproduce now.
owner: somebody => jhrozek status: new => assigned
Comment from jhrozek at 2015-10-16 11:49:30
The issue is that the subdomain users are (to avoid conflicts) normally saved with fully qualified names.
But unfortunately, the full_name_format also changes how the usernames are stored in the cache and the subdomains code just doesn't expect non-qualified usernames in the cache.
Since we already have first version of the patches that only use full_name_format for presentation of the data, not storing them, I would prefer to solve this ticket along with #2011
Comment from orion at 2015-10-16 16:57:46
That sounds good. I was fairly surprised to see sssd store non-qualified names.
Comment from jhrozek at 2015-10-22 17:36:59
I'm moving the ticket to the same milestone that contains the sysdb refactoring.
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
Comment from jhrozek at 2015-12-03 22:18:25
Fields changed
rhbz: => todo
Comment from jhrozek at 2015-12-10 11:55:43
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1287209 (Red Hat Enterprise Linux 7)
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1287209 1287209]
Comment from jhrozek at 2016-06-20 12:01:16
I have the sysdb refactoring in my local branch, but I need to release 1.14 alpha today, so moving to Beta.
milestone: SSSD 1.14 alpha => SSSD 1.14 beta
Comment from jhrozek at 2016-06-27 10:56:09
Still needs review and the new sysdb needs db version upgrade.
milestone: SSSD 1.14 beta => SSSD 1.14.0
Comment from jhrozek at 2016-07-01 16:25:30
Fields changed
patch: 0 => 1
Comment from jhrozek at 2016-07-07 12:51:20
Fixed in e6b6b9f..c88b63b
Comment from jhrozek at 2016-07-07 12:51:36
Fields changed
resolution: => fixed status: assigned => closed
Comment from orion at 2017-02-24 14:44:40
Metadata Update from @orion: