The LDAP administrators group doesn't grant SSH access on freshly-kickstarted clients

Description

SSSD filters out the `administrators` group (GID 700) when sssd.conf's min_id set to the default value of 1000.

Details
  • The simp docs state that SIMP is is preconfigured to grant SSH to members of the administrators group. This is coded into SIMP by adding the (administrators) group to /etc/security/access.conf in simp::admin.

  • The gidNumber of the LDAP group administrators is hard-coded to 700 in simp_openldap/templates/etc/openldap/default.ldif.erb

  • The default min_id for the SSSD LDAP domain is set to 1000 in simp::sssd::client

  • Consequently, on newly-kickstarted EL7 clients that configured with the SIMP default settings and LDAP groups, users in the administrators group cannot log in via SSH without further intervention.

Observations
  • Under these conditions, SSH access can be made to work correctly by logging directly into the local system and running the id command on an affected user.

  • After applying the id workaround, SSH access will persist across reboots and sss_cache -E, but removing the SSSD db files under /var/lib/sss/db will reset the problem.

Acceptance Criteria

None

Labels

None

Epic Link

None

Story Points

None

Assignee

Chris Tessmer

Priority

High
Configure