Home / ubuntu / Questions / 1300389
Accepted
AveryFreeman
Asked: 2020-12-16 11:08:06 +0800 CST

SSSD with AD: use UID/GID specified on domain server instead of something random?

  • 772

I have an AD environment with IDMU and specified UID/GID for my domain users. SSSD-connected domain user does not share the same UID/GID on Ubuntu as AD.

Here's the default unedited sssd.conf in Ubuntu 20.10:

% sssd --version
2.3.1

# cat /etc/sssd/sssd.conf 

[sssd]
domains = webtool.space
config_file_version = 2

[domain/webtool.space]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.SPACE
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = mydomain.space
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

If username Auser has a UID of 10001 and a GID of 10001 I would expect that these numbers would persist across other platforms, correct?

But SSSD seems to allocate arbitrary UID/GID with no correspondence with AD numbers. Here's a real-world example:

% su [email protected]                                        
Password: 
[email protected]@myhostname:~/$ id

uid=397401108([email protected])
gid=397400512(domain [email protected])
groups=397400512(domain [email protected]),
397400513(domain [email protected]),
397400518(schema [email protected]),
397400519(enterprise [email protected]),
397400572(denied rodc password replication [email protected]),
397401109([email protected]),
397401112(vcsa [email protected]),
397404603([email protected]),
397407607([email protected])

Is there any way to prevent this behavior? I would like my UID/GID to correspond with the values assigned on the domain controllers.

Update:

Thanks to stellar first answer, all that was required to make mapping 1-1 was stop SSSD service, delete the cache, change ldap_id_mapping from True to False.

Now the UID/GID are the same as AD:

% id
uid=10000(auser) gid=10001(administrators) groups=10001(administrators),3109([email protected]),10000(domain [email protected])

Now to figure out why I am missing some of the groups my user belongs to...

active-directory su domain-server sssd

1 Answers

  1. Best Answer

    The default SSD behavior will map user id and group id to a range of values. You can instead specify LDAP attributes to use if they are defined in AD.

    From the manpage - http://manpages.ubuntu.com/manpages/bionic/en/man5/sssd-ad.5.html

           By default, the AD provider will map UID and GID values from the objectSID parameter in
       Active Directory. For details on this, see the “ID MAPPING” section below. If you want to
       disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you
       should set

           ldap_id_mapping = False

    SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are uidNumber and gidNumber, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.

    If you change the id mapping settings, you need to fully clear your caches before testing the change. I like to run these commands

    systemctl stop sssd
rm /var/lib/sss/{db,mc}/*
sss_cache -E
# optionally clear debug logs
truncate -s 0 /var/log/sssd/*.log
systemctl start sssd
    • 2