Groups from sssd not registering on login

Message

KShots · Post by **KShots** » Tue May 28, 2019 9:41 pm

This is driving me nuts... I've configured another system on my home network to login via sssd (I have several working machines), and this one just won't assign my groups from LDAP. The id command cannot find the groups (either from login or calculated from nsswitch - note the lack of the group wheel):

Code: Select all

rich@graendal ~ $ id
uid=1500(rich) gid=1500(users) groups=1500(users),6(disk),14(uucp),27(video),78(kvm),250(portage),998(libvirt)
rich@graendal ~ $ id rich
uid=1500(rich) gid=1500(users) groups=1500(users),6(disk),14(uucp),27(video),250(portage),78(kvm),998(libvirt)

The groups command shows that the user doesn't currently belong to the wheel group, but calculates that it should belong to it:

Code: Select all

rich@graendal ~ $ groups
disk uucp video kvm portage libvirt users
rich@graendal ~ $ groups rich
wheel test users disk uucp video portage kvm libvirt

If I log out and back in again, nothing changes. Oddly, I can su even though the system thinks I'm not in the wheel group... but I cannot sudo presumably because I am not in the wheel group (which is why I detected this issue). If solving this doesn't resolve sudo, I'll dig deeper into it.

My /etc/nsswitch.conf config:

Code: Select all

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
#

passwd:		sss db files
group:		sss db files
initgroups:	db [SUCCESS=continue] files
shadow:		sss db files
gshadow:	files

hosts:		files dns
networks:	files dns

protocols:	db files
services:	db files
ethers:		db files
rpc:		db files

netgroup:	db files
sudoers:	ldap files

My /etc/sssd/sssd.conf config:

Code: Select all

[sssd]
config_file_version = 2
services = nss, pam
domains = WARFARESDL.COM

[nss]
filter_groups = root
filter_users = root
allowed_shells = /bin/bash
shell_fallback = /bin/bash

[pam]
#pam_verbosity = 3

[sudo]

[domain/WARFARESDL.COM]
#debug_level = 3
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_tls_cacert = /etc/ssl/ca.warfaresdl.com.crt
ldap_access_filter = (gidNumber=1500)
ldap_pwd_policy = mit_kerberos
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/graendal.warfaresdl.com@WARFARESDL.COM
enumerate = true
min_id = 1500
cache_credentials = true
dns_discovery_domain = warfaresdl.com
#lookup_family_order = ipv6_only
ldap_uri = ldap://10.4.12.23, _srv_
ldap_user_search_base = ou=Users,dc=warfaresdl,dc=com,o=War Games?one?
ldap_group_search_base = ou=Groups,dc=warfaresdl,dc=com,o=War Games?one?
ldap_pwd_policy = mit_kerberos
ldap_force_upper_case_realm = true
ldap_schema = rfc2307bis
krb5_server = kerberos1.warfaresdl.com, _srv_
krb5_kpasswd = kerberosadmin.warfaresdl.com
krb5_realm = WARFARESDL.COM
krb5_changepw_principal = kadmin/changepw
krb5_ccachedir = /tmp
krb5_auth_timeout = 15
krb5_validate = true
krb5_keytab = /etc/krb5.keytab

Everything else seems to be working... the user doesn't exist in /etc/passwd, but logs in via kerberos successfully (as delegated by sssd). Just the groups appear to be missing :/. Also, in case this is where the problem resides (and it's likely, the thing is a mess cobbled together from hard to find documentation I don't quite comprehend very well, but works properly on my other home machines), here's my /etc/pam.d/system-auth

Code: Select all

auth		required	pam_env.so
#auth		required	pam_unix.so try_first_pass likeauth nullok 
auth		sufficient	pam_unix.so try_first_pass likeauth nullok 
auth		sufficient	pam_sss.so use_first_pass
#auth		optional	pam_permit.so
auth		required	pam_deny.so

account		required	pam_unix.so
account		sufficient	pam_localuser.so
account		sufficient	pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account		optional	pam_permit.so
account		required	pam_permit.so

#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password	requisite	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 
#password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password	sufficient	pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password	sufficient	pam_sss.so use_authtok
#password	optional	pam_permit.so
password	required	pam_deny.so

session		required	pam_mkhomedir.so umask=0022 skel=/etc/skel/
session		optional	pam_keyinit.so revoke
session		required	pam_limits.so 
session	[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session		required	pam_env.so 
-session        optional        pam_systemd.so
session		sufficient	pam_sss.so
session		required	pam_unix.so 
session		optional	pam_permit.so

EDIT: Here's a bit of interesting data in my log (/var/log/sssd/krb5_child.log):

Code: Select all

(Tue May 28 17:44:03 2019) [[sssd[krb5_child[15687]]]] [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [rich@WARFARESDL.COM] might not be correct.

alamahant · Post by **alamahant** » Wed May 29, 2019 10:35 pm

Hi
May be use the getent command to probe further your network auth situation?

Actually there is a fantastic utility in fedora/redhat called authconfig...
It can handle all things authentication and produces great sssd.conf files.
It even handles pam, nsswitch.conf etc...
It is available for Gentoo here:

http://gentoo.zugaina.org/app-admin/authconfig

Regards
Andreas