Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSSD Configuration - Missing Group Memberships #7879

Open
p-e-t-e-r10 opened this issue Mar 14, 2025 · 8 comments
Open

SSSD Configuration - Missing Group Memberships #7879

p-e-t-e-r10 opened this issue Mar 14, 2025 · 8 comments

Comments

@p-e-t-e-r10
Copy link

p-e-t-e-r10 commented Mar 14, 2025

Hello @justin-stephenson @sumit-bose ,

I am configuring SSSD against Active Directory, and when I run id mako2, I get the following output:

id mako2  
uid=659262017(mako2) gid=659200513(Domain Users) groups=659200513(Domain Users)

However, when I run ldapsearch, I get the following details:

dn: CN=Peter Mako,OU=2021,OU=Studenti,OU=People,DC=fri,DC=uniza,DC=sk  
...
memberOf: CN=studenti_Ing,OU=Groups,DC=fri,DC=uniza,DC=sk  
memberOf: CN=studenti,OU=Groups,DC=fri,DC=uniza,DC=sk  
...

As you can see, the memberOf attribute in LDAP clearly shows that the user is a member of studenti and studenti_Ing groups, but these groups do not appear when using the id command.

Could you please advise on which parameters I need to add to my SSSD configuration to correctly retrieve and display these group memberships?

I am attaching the output of ldapsearch as well as my SSSD configuration file for reference.

OUTPUT_LDAPSEARCH.txt

Thank you!

Best regards,
Peter

@alexey-tikhonov
Copy link
Member

Why do you use 'id_provider = ldap' and not 'id_provider = ad'?

@p-e-t-e-r10
Copy link
Author

If I use id_provider = ldap or id_provider = ad it does not matter, because output is the same. But I changed id_provider to ad already. It's probably better...

@alexey-tikhonov
Copy link
Member

Is this host enrolled into AD domain?

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Mar 14, 2025

Is this host enrolled into AD domain?

Note that SSSD doesn't read 'memberOf' user attributes from the LDAP server.
It searches groups that a given member is user of, using a method that depends on 'id_provider' value.
For AD it is tokenGroups by default.

@p-e-t-e-r10
Copy link
Author

Is this host enrolled into AD domain?

Yes it is

@p-e-t-e-r10
Copy link
Author

Is this host enrolled into AD domain?

Note that SSSD doesn't read 'memberOf' user attributes from the LDAP server. It searches groups that a given member is user of, using a method that depends on 'id_provider' value. For AD it is tokenGroups by default.

Okey so what should i do? Which parameter should I set? BTW I must use 'id_provider = ldap' because when I use 'id_provider = ad' in logs I see message Permission denied, I am not user with admin privilligies

thanks
Peter

@alexey-tikhonov
Copy link
Member

If host is indeed enrolled (i.e. there is a keytab with host keys) then try to use 'id_provider = ad' and do not specify other '*_provider' (it will default to ad).

@alexey-tikhonov
Copy link
Member

Btw, tickets are meant for bug reports, not for asking a help with configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants