You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am setting "ldap_group_gid_number = extensionAttribute9" in my sssd.conf
After "systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; systemctl start sssd" I see this in the logs:
(Fri May 13 17:24:23 2016) [sssd[be[DOMAIN]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value extensionAttribute9
(Fri May 13 17:24:23 2016) [DOMAIN]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber
First the right mapping. Which gets overwritten by the default value right afterwards.
I am running this Centos 7 which is bound to M$ Active Directory 2008rc2. Please let me know if you need any additional information.
[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#ldap_group_gid_number = extensionAttribute9
debug_level = 7
=> 1463154553603797
_comment1: I forgot the sssd.conf:
I can't reproduce this in my setup. Is there any chance the attribute is being overriden for the root domain (or the domain the sssd is enrolled with) but not the child domains? That would be in fact expected, because right now the config file only configures the domain we're enrolled with, not the child domains (we have ticket #2599 that tracks that enhancement).
In my test environment, I first see the main domain being initialized:
(Sun May 15 14:36:51 2016) [sssd[be[win.trust.test]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value myowngid
and then the trusted domain, only with defaults:
(Sun May 15 14:36:51 2016) [sssd[be[win.trust.test]]] [sdap_copy_map] (0x0400): Option ldap_user_gid_number has value gidNumber
Notice the first uses sdap_get_map which reads the config file and creates the mappings, but the second uses sdap_copy_map which only copies the default mappings.
I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? And if so is there a way to ignore it?
_comment0: I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? => 1463472659751589
The trusted domains are not configured, but discovered automatically. Even from your opening comment I see that the value was correctly overriden for the main domain:
(Fri May 13 17:24:23 2016) [sssd[be[DOMAIN]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value extensionAttribute9
But sssd used the default values for the trusted domain:
(Fri May 13 17:24:23 2016) [DOMAIN]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber
If you are not using accounts from the other trusted domains, you can disable their autodetection with:
subdomains_provider = none
Please note we are working on a better way to selectively enable/disable domains as part of ticket #2828.
Thanks for your quick reply subdomains_provider = none works like you explained. The custom value is not overwritten by the default value anymore. At least in the log.
However the outcome of this is surprising to me. I overwrite ldap_group_gid_number with the attribute extensionAttribute9 which contains a valid numeric gid e.g. 3536 which my user is also part of. I would expect my gid to be 3536 which is not the case. The primary gid is still the value of gidNumber. I am also loosing all non primary groups of my user.
I deleted /var/lib/sss/db/* to get rid if the cache and the mapping.
Do I misunderstand the meaning of ldap_group_gid_number? Or is there a problem?
No, I would not expect that. I wonder if disabling the tokengroups support with ldap_use_tokengroups would help here? If not, it would be best to see the logs.
Without logs, I'm afraid I can't really help you here. The logs might show what are the searches actually looking for and what the server is returning.
I'm sorry, but it seems to me that sssd is behaving correctly here and without the logs, I don't think I can help any further, so I'm closing the ticket.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3012
I am setting "ldap_group_gid_number = extensionAttribute9" in my sssd.conf
After "systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; systemctl start sssd" I see this in the logs:
(Fri May 13 17:24:23 2016) [sssd[be[DOMAIN]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value extensionAttribute9
(Fri May 13 17:24:23 2016) [DOMAIN]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber
First the right mapping. Which gets overwritten by the default value right afterwards.
I am running this Centos 7 which is bound to M$ Active Directory 2008rc2. Please let me know if you need any additional information.
Thanks for your help,
Jan
Comments
Comment from welker at 2016-05-13 17:38:11
Fields changed
summary: ldap_group_gid_number overwritten => ldap_group_gid_number overwritten with default value
Comment from welker at 2016-05-13 17:48:37
I forgot the sssd.conf:
_comment0: I forgot the sssd.conf:
[sssd]
domains = XXX.XXX.DOMAIN.COM
services = nss, pam
config_file_version = 2
[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#ldap_group_gid_number = extensionAttribute9
debug_level = 7
=> 1463154553603797
_comment1: I forgot the sssd.conf:
{{{
[sssd]
domains = XXX.XXX.DOMAIN.COM
services = nss, pam
config_file_version = 2
[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#ldap_group_gid_number = extensionAttribute9
debug_level = 7
}}} => 1463154668780453
Comment from jhrozek at 2016-05-15 16:44:33
I can't reproduce this in my setup. Is there any chance the attribute is being overriden for the root domain (or the domain the sssd is enrolled with) but not the child domains? That would be in fact expected, because right now the config file only configures the domain we're enrolled with, not the child domains (we have ticket #2599 that tracks that enhancement).
In my test environment, I first see the main domain being initialized:
and then the trusted domain, only with defaults:
Notice the first uses
sdap_get_map
which reads the config file and creates the mappings, but the second usessdap_copy_map
which only copies the default mappings.Comment from welker at 2016-05-17 10:05:43
I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? And if so is there a way to ignore it?
_comment0: I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? => 1463472659751589
Comment from jhrozek at 2016-05-17 10:16:46
The trusted domains are not configured, but discovered automatically. Even from your opening comment I see that the value was correctly overriden for the main domain:
But sssd used the default values for the trusted domain:
If you are not using accounts from the other trusted domains, you can disable their autodetection with:
Please note we are working on a better way to selectively enable/disable domains as part of ticket #2828.
Comment from welker at 2016-05-17 10:35:18
Thanks for your quick reply subdomains_provider = none works like you explained. The custom value is not overwritten by the default value anymore. At least in the log.
However the outcome of this is surprising to me. I overwrite ldap_group_gid_number with the attribute extensionAttribute9 which contains a valid numeric gid e.g. 3536 which my user is also part of. I would expect my gid to be 3536 which is not the case. The primary gid is still the value of gidNumber. I am also loosing all non primary groups of my user.
I deleted /var/lib/sss/db/* to get rid if the cache and the mapping.
Do I misunderstand the meaning of ldap_group_gid_number? Or is there a problem?
Comment from jhrozek at 2016-05-18 18:34:17
No, I would not expect that. I wonder if disabling the tokengroups support with
ldap_use_tokengroups
would help here? If not, it would be best to see the logs.Comment from jhrozek at 2016-05-26 10:36:46
Without logs, I'm afraid I can't really help you here. The logs might show what are the searches actually looking for and what the server is returning.
Comment from jhrozek at 2016-06-01 18:13:07
I'm sorry, but it seems to me that sssd is behaving correctly here and without the logs, I don't think I can help any further, so I'm closing the ticket.
resolution: => invalid
status: new => closed
Comment from welker at 2017-02-24 14:57:06
Metadata Update from @Welker:
The text was updated successfully, but these errors were encountered: