andreboscatto
commented
9 months ago Dear Contributor/User,
Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints.
After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested.
We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities.
Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can.
Best regards, André Boscatto
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4154
I have problem with getting user groups from AD. My lab configuration:
apt show sssd
Package: sssd Version: 1.16.1-1ubuntu1.4
============
I did following steps
create and configure AD with powershell and command from "skrypty.ps1" file (also create users and groups)
create group membership with commands from "grupy.ps1" and "grupy_w_grupach.ps1" files
then I try:
id testuser1
uid=393201103(testuser1) gid=393200513 groups=393200513
on the other hand: ldapsearch -v -H ldap://192.168.57.10:3268 -b "CN=Users,dc=dorsz,dc=kjonca" -D $'kjonca@dorsz.kjonca' -w Virtualbox1 '(&(sAMAccountName=testuser1))
returns proper group membership.
Comments
Comment from kjonca at 2020-02-04 11:21:03
Comment from atikhonov at 2020-02-04 18:00:50
Hi,
1) why do you use id_provider = ldap auth_provider = ldap
and not
= ad?2) do you use nested groups in your setup?
Comment from kjonca at 2020-02-05 07:10:09
Ad.1 - It is not my setup, but taken (and adapted to tests) from our machines running old ubuntu versions. We want to migrate to ubuntu 18/20, but we have problems with groups. EDIT: AD server is used only to give us user/group membership. Machines are not connected to domain. So (if I understand correctly) I cannot use id_provider/auth_provider = ad? Ad. 2- yes. We have nested groups.
Comment from emersonux at 2020-02-14 13:29:07
Hello,
I created the issue #4151 . So @sbose suggested to add ldap_use_tokengroups = False on sssd.conf. It worked for me.
Regards,
Comment from kjonca at 2020-02-24 12:01:37
Changing ldap_use_tokengroups does not help.
Comment from sbose at 2020-02-24 12:26:54
Hi,
Please add
debug_level=9to the[nss]section as well, restart SSSD, call theidcommand and attache the SSSD nss and domain log to this ticket, if possible.bye, Sumit
Comment from kjonca at 2020-02-24 14:42:08
Attached.
Comment from sbose at 2020-02-24 16:45:36
Hi,
it looks like SSSD needs too much time to store all group member of the groups the user is a member of into the cache. Can you try if add
ignore_group_members = Truehelps to speed things up and allows theidcommand to return all groups the user is a member of?bye, Sumit
Comment from kjonca at 2020-02-25 09:26:37
I can try, but IIRC, we use group members field in tests so it can break our config also.
Comment from kjonca at 2020-02-26 10:32:11
and "ignore_group_members = True " did not help :(
Comment from kjonca at 2020-02-27 09:30:13
I forgot to write: I tried to disable enumeration (enumerate=false) and then I tried to populate cache "manually" (ldapsearch + getent on every entry) but after this "id testuser1" also returns bad results. So I think that is something wrong with cache in sssd.
Comment from thalman at 2020-03-13 15:59:33
Metadata Update from @thalman: