Why does altering ldap_id_mapping
present different group memberships on the same AD user?
I was hoping to have my UID/GID
be the same as AD with IDMU: SSSD with AD: use UID/GID specified on domain server instead of something random?
I have achieved this by setting /etc/sssd/sssd.conf
ldap_id_mapping = False
, but now some of my AD groups are 'missing'.
The previous AD user with ldap_id_mapping = True
reflected all the AD groups of which the user is a member, while the ldap_id_mapping = False
user does not.
e.g:
% sssd --version
2.3.1
% cat /etc/sssd/sssd.conf | grep id_mapping
ldap_id_mapping = True
% su [email protected]
Password:
[email protected]@myhostname:~/$ id
uid=397401108([email protected])
gid=397400512(domain [email protected])
groups=397400512(domain [email protected]),
397400513(domain [email protected]),
397400518(schema [email protected]),
397400519(enterprise [email protected]),
397400572(denied rodc password replication [email protected]),
397401109([email protected]),
397401112(vcsa [email protected]),
397404603([email protected]),
397407607([email protected])
% exit
Above, you can see there are several AD-specific groups represented
% su -
# sed -i 's/ldap_id_mapping = True/ldap_id_mapping = False/g' /etc/sssd/sssd.conf
# cat /etc/sssd/sssd.conf | grep id_mapping
ldap_id_mapping = False
# exit
% su [email protected]
Password:
[email protected]@myhostname:~/$ id
uid=10000(auser)
gid=10001(administrators)
groups=10001(administrators),
3109([email protected]),
10000(domain [email protected])
Now you can see the AD-specific groups are not represented on the SSSD client.
Anyone have an idea why all these groups are not present on my domain user after changing this setting? Aren't all existing AD groups and users mapped to an ldap equivalent?
Is it because the groups presented when ldap_id_mapping = True
are not being mapped with ldap_id_mapping = False
?
How can I ensure these groups are not 'missing' on SSSD clients when ldap_id_mapping = False
?
0 Answers