search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
588 stars 238 forks source link

SSSD 2.9.4 - unable to look up some groups. #7359

Closed kragebein closed 4 months ago

kragebein commented 4 months ago

I'm having an issue where never versions of SSSD is failing to lookup and map AD groups. Instead of group names, we're returned SIDs of the group.

I have two servers, server A [Ubuntu 24.04, SSSD 2.9.4] and server B [Ubuntu 22.04 SSSD 2.6.3] Server B doesnt have this issue, where as server A has it. Double checked this with Ubuntu 23.10, but forgot to check SSSD version on that, but the problem exists on Ubuntu 23.10 as well.

For example The below is generated using id <username> | sed 's/,/\n/g' |sort. In total there are 93 groups, but on sssd 2.9.4, 38 of them returns with SID instead of group name.

The groups themselves are set up in exactly the same way. Similar attributes, security etc. There is nesting, but not deep enough to cause issues.

Ubuntu 24.04 (sssd 2.9.4) Ubuntu 22.04 (sssd 2.6.3)
1487800512(domain admins) 1487800512(domain admins)
1487800572(denied rodc password replication group) 1487800572(denied rodc password replication group)
1487801101(dnsadmins) 1487801101(dnsadmins)
1487801143(dl_serverp_root_access) 1487801143(dl_serverp_root_access)
1487801144(dl_serverp_system_access) 1487801144(dl_serverp_system_access)
1487801146(g golang administration) 1487801146(g golang administration)
1487801162(dl fsc full access) 1487801162(dl fsc full access)
1487801616(s-1-5-21-2416764262-3997562182-2768056474-1616) 1487801616(dl web cluster 1 administrator access)
1487801618(s-1-5-21-2416764262-3997562182-2768056474-1618) 1487801618(dl webdev cluster 1 administrator access)
1487801629(s-1-5-21-2416764262-3997562182-2768056474-1629) 1487801629(dl someweb administrator access)
1487801655(s-1-5-21-2416764262-3997562182-2768056474-1655) 1487801655(dl web cluster 2 administrator access)
1487801687(s-1-5-21-2416764262-3997562182-2768056474-1687) 1487801687(dl file share)
1487801707(s-1-5-21-2416764262-3997562182-2768056474-1707) 1487801707(dl someserver administrator access)
1487801722(dl_logger_root_access) 1487801722(dl_logger_root_access)
1487801723(dl_logger_system_access) 1487801723(dl_logger_system_access)
ubuntu2404.txt ubuntu2204.txt

Above, i've attached logs from sssd (using sssctl analyze request show <id>) These logs represent me trying to lookup a group via getent group sys_servers_remote It works just fine on ubuntu 22.04, but returns nothing on Ubuntu 24.04.

Meanwhile, sssd config, nss and krb

[sssd]
config_file_version = 2
domains = some-domain.no
services = nss, pam
#enumerate=True

[domain/some-domain.no]
ldap_group_nesting_level = 5
debug_level=9

id_provider = ad
auth_provider = ad
access_provider = simple
chpass_provider = ad
simple_allow_groups = sys_servers_remote

use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u

krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = SOME-DOMAIN.NO

[nss]
debug_level=9
passwd:         files systemd sss
group:          files systemd sss
shadow:         files sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      sss
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SOME-DOMAIN.NO
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

[realms]

[domain_realm]

The configs above are identical on both servers. They are created using packer, and configured via salt. So they should be identical in all ways that matter with exception from hostnames and ips.

So any help or suggestions to what might be the cause of this, or how to fix it is greatly appreciated.

sumit-bose commented 4 months ago

Hi,

can you try to add

ldap_ignore_unreadable_references = True

to the [domain/...] section of sssd.conf on the host with issues and try again?

HTH

bye, Sumit

kragebein commented 4 months ago

Suprisingly this worked. I was sure i have tested this, but now after clearing the cache this seems to be working. Thanks for the quick reply.