SSSD: id не отображать поддомен имени группы (дочернее доверие)
В среде разработки с SSSD 1.16.2 (выпуск 13.el7_6.5) на RHEL 7.6
SSSD настроен на запрос в домене mch.dev. существует доверенный поддомен sub.mch.dev (Win2k16)
На mch.dev у меня есть пользователь user1 в универсальных группах G_TEST и allowed_ssh. Эти группы также помещаются в домен mch.dev. На sub.mch.dev у меня есть только пользователь user2. 'user2' находится в 'G_TEST' и 'allowed_ssh'.
Когда вы получаете идентификатор пользователя из домена mch.dev, по id mch \ user1 я получаю следующий результат: uid = 83701115 ( user1) gid = 513 (sssdgrp) groups = 513 (sssdgrp), 83701107 (allowed_ssh), 83701117 (g_test) ', но' id sub \ user2 , в той же группе (универсальная - дочернее доверие), я получаю uid = 69901104 (user2) gid = 69901104 (user2) groups = 69901104 (user2) без имени группы
getent работают нормально: getent group 'g_test' результат: g_test: *: 83701117: user2, user1, mch
Почему у меня нет имени группы для user2?
sssd.conf:
[sssd]
domains = mch.dev
config_file_version = 2
services = nss, pam
default_domain_suffix = mch.dev
full_name_format = %1$s
[nss]
filter_users = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
[pam]
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and logon again.
[domain/MCH.DEV]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
ad_domain = mch.dev
krb5_realm = MCH.DEV
krb5_store_password_if_offline = True
cache_credentials = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
override_gid = 513
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
dyndns_update = false
ldap_idmap_range_min = 100000
ldap_use_tokengroups = False
Журналы доступны здесь Обрезать файлы журналов:
(Mon Feb 4 22:06:49 2019) [sssd[be[MCH.DEV]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [set_server_common_status] (0x0100): Marking server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_done] (0x2000): Old USN: 74754, New USN: 13572
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=mch,DC=dev]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_print_server] (0x2000): Searching 172.31.8.103:3268
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user2)(objectclass=user)(objectSID=*))][DC=mch,DC=dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_result] (0x2000): Trace: sh[0x55e206f85b30], connected[1], ops[0x55e206fc3c10], ldap[0x55e206f9e840]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=user2,OU=Users,OU=sub,DC=sub,DC=mch,DC=dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [name]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_result] (0x2000): Trace: sh[0x55e206f85b30], connected[1], ops[0x55e206fc3c10], ldap[0x55e206f9e840]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_op_destructor] (0x2000): Operation 5 finished
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x4000): Storing the user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Save user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sss_domain_get_state] (0x1000): Domain MCH.DEV is Active
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sss_domain_get_state] (0x1000): Domain sub.mch.dev is Active
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_primary_name] (0x0400): Processing object user2
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Processing user user2@sub.mch.dev
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x1000): Mapping user [user2@sub.mch.dev] objectSID [S-1-5-21-3702155841-230100394-2213857338-1104] to unix ID
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x2000): Adding originalDN [CN=user2,OU=Users,OU=sub,DC=sub,DC=mch,DC=dev] to attributes of [user2@sub.mch.dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [user2@sub.mch.dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20190204145524.0Z] to attributes of [user2@sub.mch.dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Adding user principal [user2@SUB.MCH.DEV] to attributes of [user2@sub.mch.dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Storing info for user user2@sub.mch.dev
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [originalMemberOf] of entry [name=user2@sub.mch.dev,cn=users,cn=sub.mch.dev,cn=sysdb]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user2@sub.mch.dev,cn=users,cn=sub.mch.dev,cn=sysdb] has set [cache, ts_cache] attrs.
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [user2@sub.mch.dev]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [find_user_entry] (0x4000): No user found with filter [user2@mch.dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=mch,DC=dev]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_print_server] (0x2000): Searching 172.31.8.93:389
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user2)(objectclass=user)(objectSID=*))][DC=mch,DC=dev].
Заранее благодарим
0
задан user5525652
5 February 2019 в 00:46
Ссылка
1 ответ
Delete use_fully_qualified_names = True, ldap_use_tokengroups = False, default_domain_suffix = mch.dev and
full_name_format = %1$s решаем проблему.
0