次の方法でActive DirectoryをLinuxサーバー(centOS 7)に同期します。SSDユーザーがADのメンバーである一部のグループは、sssd対応のLinuxサーバーには表示されません。
例えば。 ADでg1グループを作成し、ADユーザーuser001をそのグループのメンバーとして設定できますが、LinuxサーバーでSSHを介してid user001そのユーザーに対して一覧表示されたグループを実行すると、新しく作成されたグループは含まれません。
[sssd]
domains = co.local
config_file_version = 2
services = nss, pam, pac
[domain/co.local]
ad_domain = co.local
krb5_realm = CO.LOCAL
auth_provider = ad
access_provider = ad
chpass_provider = ad
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
ldap_schema = ad
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
use_fully_qualified_names = False
fallback_homedir = /home/%u
default_domain_suffix = co.local
enumerate = true
SSDサービスログを見ると...
[root@myserver~]# service sssd status -l
Redirecting to /bin/systemctl status -l sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-02-21 17:25:19 HST; 3 days ago
Main PID: 11677 (sssd)
CGroup: /system.slice/sssd.service
├─11677 /usr/sbin/sssd -i --logger=files
├─11678 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
├─11679 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─11680 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─11681 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd[be[co.local]][11678]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 2
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 2
ログを見ると、/var/logs/sssd最も重要なことは次のとおりです。
[root@hwdatalake ~]# cat /var/log/sssd/sssd_nss.log-20200224
(Sun Feb 16 04:17:11 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Sun Feb 16 05:57:15 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error
...
...
...
(Tue Feb 18 09:38:59 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 11:19:03 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 12:59:06 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 13:16:14 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Tue Feb 18 19:41:24 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Tue Feb 18 19:56:09 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Wed Feb 19 12:27:30 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
SSDの経験が多い人は、ここで何が起こっているのか知っていますか?デバッグのヒントはありますか(sssdの経験がなく、元のサーバーに設定した人ではありません)?