RHEL6.6 sssd (1.11) doesn't return all group memberships against an IPA server
Environment
- Red Hat Enterprise Linux 6
- Identity Management
- sssd-1.11.6-30
Issue
- After upgrading system from RHEL 6.4 to RHEL 6.6,
sudocommands through IPA stop working. On RHEL 6.4 it worked fine.
Resolution
-
This is a known bug https://bugzilla.redhat.com/show_bug.cgi?id=1154042 and tracked upstream at https://fedorahosted.org/sssd/ticket/2471
-
There are 3 known workarounds:
-
Enable enumerate in
sssdconfiguration:[domain/$domain] enumerate = TRUE -
Disable tokengroups in sssd configuration:
[domain/$domain] ldap_use_tokengroups = False -
Turn off dereference lookups
[domain/$domain] ldap_deref_threshold = 0
-
After making the above changes in
/etc/sssd/sssd.conf, runsss_cache -Eor manually delete the cache and restartsssdfor changes to become effective. -
Note: Only one of the workarounds should be applied at a time
Root Cause
- Version 1.11 process roles, permissions and privileges as groups since those objects have
objectClass groupOfNames, and includes support fortokengroupsas a speed improvement and has been enabled by default, causing failures in some corner cases.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.