SSSD can not find some users in AD

Linux, Security 1 Minute

We use SSSD to integrate RHEL7 into our Active Directory infrastructure for authentication. All users in the sys admins group can login with their AD credentials except one. It took me a few weeks to troubleshoot.

On hand, I checked the sssd log and I can see the Linux server can find the user in the AD, but somehow it can not read the attributes of this user. On the other hand, I see the domain controller responds correctly to the Linux request per the captured packets in Wireshark.

Finally, I figured it out today. It turns out to be a bug in the version of SSSD (1.12.2-58) that is running in our RHEL7.1. The SSSD process can not handle the AD account which objectGUI starts with zero. The bug had been reported, and will be fixed in the latest version I think. The current workaround is to tell SSSD not to read the objectGUI from AD by adding ‘ldap_user_uuid = notExistingAttributeName‘ in the sssd.conf.

Reference:
https://fedorahosted.org/sssd/ticket/2588
http://permalink.gmane.org/gmane.linux.redhat.sssd.user/2619

Advertisement

Published by Jackie Chen

Published

One thought on “SSSD can not find some users in AD

  1. Pingback: Puppet Augeas exmaple | Jackie Chen's IT Workshop

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s