sssdがActiveDirectoryのネストされたグループを尊重するようにする
Sssdを機能させることができ、getent passwd *username*とgetent groupはADデータを返します。 ActiveDirectoryのネストされたグループで問題が発生しています。
ADには、部門全体のスーパーグループがあります。このグループには、ユーザーがメンバーとして含まれています。
Department group: CN=123 - DepartmentName,OU=departments,OU=SecurityGroups,DC=company,DC=country
member CN=Benny Bob,OU=123 - DepartmentName,OU=other,OU=info,DC=company,DC=country
member CN=Billy Bob,OU=123 - DepartmentName,OU=other,OU=info,DC=company,DC=country
memberOf CN=RepositoryAuthorization,OU=Roles,OU=SecurityGroups,DC=company,DC=country
また、次のような多くのユーザーがいます。
User : CN=Benny Bob,OU=xxx - DepartmentName,OU=other,OU=info,DC=company,DC=country
memberOf CN=xxx - DepartmentName,OU=departments,OU=SecurityGroups,DC=company,DC=country (The department group)
memberOf CN=ServerAuthorization,OU=Roles,OU=SecurityGroups,DC=company,DC=country
getent group | grep ServerAuthorizationを呼び出すと、(グループに直接リンクされている)ユーザーが正常に表示されます。ただし、getent group | grep RepositoryAuthorizationを呼び出すと、メンバーがないと表示されます。 RepositoryAuthorizationは、ユーザーがメンバーである部門グループのメンバーです。つまり、ネストされたグループです。
Sssdの設定に問題があると思います。編集:これは、方向のネストの問題ではないようです。特定のグループがSSSDによって取得されないようです。
OU=Roles,OU=Security Groups....内のすべてのグループはgetent groupによって返されます。ただし、OU=Departments,OU=Security Groups....のグループはそうではありません。
設定はldap_group_search_base = OU=Security Groups...および 'ldap_group_nesting_level = 100'
これはgetent group呼び出しのログです(ログレベル7)私はこれについて特に興味があります:
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
完全なログ:
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4098][1][*]
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [sdap_handle_acct_req_send] (0x1000): Skipping group enumeration on demand
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [Host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [Host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [Host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [Host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
StackExchangeで Wheezy SSSD-ADの質問 について説明したsssd.confをもう一度見てください。ネストされたグループを有効にするには、ldap_group_nesting_level = 5エントリが必要です。
ログによると、SSSDは不正な形式のフィルターについても不満を言っていました:(&(sAMAccountName=localUser)(objectclass=user)((null)=*))
LDAP(ADではない)プロバイダーと一緒にIDマッピングを使用しているようです。この場合、ldap_user_objectsid値を構成する必要があります。
ldap_user_objectsid = objectSid