search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
595 stars 246 forks source link

Multi domain configuration - can't get all gids for all groups where the user is member of #7280

Open manuel-hiller-ebm opened 6 months ago

manuel-hiller-ebm commented 6 months ago

Hello together, I would like to implement a domain configuration for my multi domain environment. Moreover I would like to retrieve all groups and their gids where the user is member.

Here an example of my domain structure:

ad1.domain.loc - Linux machines will be joined here, users and global groups are located there ad2.domain.loc - only users

So my actual problem is, that I can't get the gids of groups from the domain ad1.domain.loc where theuser user from domain ad2.domain.local is member.

Here is a my /etc/sssd/sssd.conf configuration:

[sssd]
domains = ad1.domain.loc, ad2.domain.loc
reconnection_retries = 3
config_file_version = 2
[nss]
filter_groups = root
filter_users = root

[domain/ad1.domain.loc]
access_provider = ad
ad_domain = ad1.domain.loc
ad_enabled_domains = ad1.domain.loc
ad_gpo_access_control = disabled
ad_maximum_machine_account_password_age = 3
ad_server = DC1.ad1.domain.loc, DC2.ad1.domain.loc
ad_use_ldaps = True
auth_provider = ad
cache_credentials = True
default_shell = /bin/bash
dyndns_iface = ens192
dyndns_refresh_interval = 86400
dyndns_ttl = 3600
dyndns_update = True
dyndns_update_ptr = True
entry_cache_timeout = 604800
fallback_homedir = /home/AD1/%u
id_provider = ad
ignore_group_members = True
krb5_realm = ad1.domain.loc
krb5_store_password_if_offline = True
ldap_id_mapping = False
ldap_sasl_authid = hostname$@ad1.domain.loc
ldap_search_base = dc=ad1,dc=ebmpapst,dc=loc
ldap_uri = ldaps://gc.ad1.domain.loc:3269
use_fully_qualified_names = False

[domain/ad2.domain.loc]
access_provider = ad
ad_domain = ad2.domain.loc
ad_enabled_domains = ad2.domain.loc
ad_gpo_access_control = disabled
ad_maximum_machine_account_password_age = 3
ad_server = DC1.ad2.domain.loc, DC2.ad2.domain.loc
ad_use_ldaps = True
auth_provider = ad
cache_credentials = True
default_shell = /bin/bash
dyndns_iface = ens192
dyndns_refresh_interval = 86400
dyndns_ttl = 3600
dyndns_update = True
dyndns_update_ptr = True
entry_cache_timeout = 604800
fallback_homedir = /home/AD2/%u
id_provider = ad
ignore_group_members = True
krb5_realm = ad2.domain.loc
krb5_store_password_if_offline = True
ldap_id_mapping = False
ldap_sasl_authid = hostname$@ad1.domain.loc
ldap_search_base = dc=ad2,dc=domain,dc=loc
ldap_uri = ldaps://gc.ad1.domain.loc:3269
use_fully_qualified_names = False

I already have tried the sssd.conf options enumerate and subdomain_enumerate, but these options did not help me. Thank your for your support.

Best regards Manuel

sumit-bose commented 6 months ago

Hi,

you currently cannot mix group-memberships from different domains configured in sssd.conf by design. But as long as those two domains belong to the same forest i.e. the two domains (not forests) trust each other a single domain in sssd.conf should be sufficient and SSSD should be able to discover the second domain automatically.

bye, Sumit

manuel-hiller-ebm commented 6 months ago

Hi, thank you for your reply. Do I have to join the machines to the forest domain to reach the goal or should it also be possible to join them into one of the subdomains?

regards, Manuel

sumit-bose commented 6 months ago

Hi,

it should be sufficient for just join ad1.domain.loc.

bye, Sumit

manuel-hiller-ebm commented 6 months ago

Hi, could you please provide me a example sssd configuration for that usecase? I am not able to achieve this functionality. Thank you!

regards, Manuel

NdK73 commented 5 months ago

Same problem here. No need to join if you can use a dedicated account:

[sssd]
domins=MAIN

[domain/MAIN]
override_homedir = /home/%d/%u # %d will be MAIN (from section name) even for trusted domains!
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_group_nesting_level = 5 
ldap_uri = ldaps://dc.example.com:3269
# Must include subdomains in ldap_user_search_base
ldap_user_search_base = DC=main,DC=example,DC=com???DC=sub,DC=example,DC=com??
ldap_default_bind_dn = CN=appaccount,OU=users,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = MyTopsecretPW
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_fullname = displayName
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
ldap_tls_cacert = /etc/sssd/myroot.crt
enumerate = false
cache_credentials = true
entry_cache_user_timeout = 28800
entry_cache_group_timeout = 86400
ldap_id_use_start_tls = false
debug_level = 3
ldap_access_filter = memberOf:1.2.840.113556.1.4.1941:=CN=allowedgroup,OU=myou,DC=example,DC=com
case_sensitive = Preserving

If you need a diffferent home for users from subdomain(s), I'm going to post a patch soon, since I've had no luck trying to configure a subdomain_homedir for a trusted domain.

NdK73 commented 5 months ago

For the patch I'm using see https://github.com/SSSD/sssd/issues/7046#issuecomment-2090253619