A Solution for Group Problems
As I showed in a previous posts,
- UWWI GPO and other varieties of group access control are inaccessible to a linux client due to UWWI privacy policy.
- The POSIX gidNumber provided by the AD causes major problems on our linux client joined to the netid AD domain when sssd attempts to resolve the gidNumber to a group.
So what of value do we have left? What do we get out of joining linux to the UWWI AD domain?
- Kerberos authentication of NetID logins (although we could get this without the extra baggage of Active Directory)
- The automatic provisioning with a campus-wide uniform unix user ID, that is, the uidNumber attribute of the NetID user object.
- Potentially, access to Windows resources in the UWWI domain, although I don't know of any such scenario where a benefit has been demonstrated.
SSSd logs show a huge amount of gratuitous ldap searching for attributes that can never be found. Most of this is group related. But we are not deriving any benefits from UWWI groups.
We can resolve a raft of problems by disabling group features of the AD
We can simply override the UWWI gidNumber with a local gid, that is, from /etc/group.
First create a local group. I name this 'adusers':
[root@c7-nmr-3 ketcham]# grep aduser /etc/group
adusers:x:4444:
sssd configuration
Add this line to sssd.conf:
override_gid = 4444
Also disable gpo in sssd.conf:
ad_gpo_access_control = disabled
This is to prevent searching to resolve gpo groups.
Example sssd.conf
nsswitch configuration
Edit /etc/nssswitch.conf to remove sss from 'group'
passwd: files sss
shadow: files sss
group: files sss
Clean up any sssd data from previous configuration
We need to purge the sssd cache, at least. I destroy and reacreate everything sssd, just to be sure:
systemctl stop sssd
rm -f /var/log/sssd/*
rm -rf /var/lib/sss
rm /etc/krb5.keytab
yum reinstall sssd\*
adcli join netid.washington.edu
Chown any existing user accounts with UWWI uidNumber and local gid.
Enable sssd and reboot.
Done.
New NetID user accounts will be created upon first login with UWWI uidNumber and the local group ID as assigned in sssd.conf.