Cheers,
I have a problem with CentOS 6x + PAM (1.1.1-17.el6) via SSSD (1.9.2-129.el6) via LDAP (openldap 2.4.23-32.el6_4.1).
It's configured in the way users can enter the system with credentials stored in LDAP server and it works well.
The one problem is that 'id' doesn't show additional groups that are created in the ldap database.
So, once more - OS doesn't see additional groups that are configured in ldap but the main group that is entered in the ldap is ok.
In the nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
In the sssd.conf:
[sssd]
config_file_version = 2
services = nss, pam, sudo
enumerate = true
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root,bin,daemon,sys,adm,disk,wheel
[pam]
[domain/LDAP]
#debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://localhost
ldap_chpass_uri = ldap://localhost
ldap_id_uri = ldap://localhost
ldap_auth_uri = ldap://localhost
ldap_search_base = dc=domain,dc=com
ldap_user_search_base = ou=people,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=domain,dc=com
ldap_access_filter = (groupMembership=cn=shell,ou=groups,dc=domain,dc=com)
enumerate = true
ldap_enumeration_refresh_timeout=60
cache_credentials = False
entry_cache_timeout = 60
ldap_network_timeout = 3
System produces folowing result:
id ttest
uid=10000(ttest) gid=501(shell) группы=501(shell)
getent group core
core:*:10000:
In the LDAP user ttest has main group 'shell' and is included to group 'core' as well.
Here is a query from LDAP database:
ldapsearch -x -b 'ou=people,dc=domain,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# people, domain.com
dn: ou=people,dc=domain,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
# core, groups, domain.com
dn: cn=core,ou=groups,dc=domain,dc=com
objectClass: posixGroup
gidNumber: 10000
memberUid: ttest
cn: core
Please advice what should i check / do in configuration that will allow system to see the 'core' group like regular user's secondary group in 'id' etc.
Thanks!