Мне удалось заставить работать sssd и getent passwd *username*
так же как getent group
возвращает данные AD. Теперь я столкнулся с проблемой вложенных групп в Active Directory.
В AD у меня есть супергруппа на весь отдел. В эту группу входят пользователи.
Department group: CN=123 - DepartmentName,OU=departments,OU=SecurityGroups,DC=company,DC=country
member CN=Benny Bob,OU=123 - DepartmentName,OU=other,OU=info,DC=company,DC=country
member CN=Billy Bob,OU=123 - DepartmentName,OU=other,OU=info,DC=company,DC=country
memberOf CN=RepositoryAuthorization,OU=Roles,OU=SecurityGroups,DC=company,DC=country
У меня тоже есть ряд пользователей, например:
User : CN=Benny Bob,OU=xxx - DepartmentName,OU=other,OU=info,DC=company,DC=country
memberOf CN=xxx - DepartmentName,OU=departments,OU=SecurityGroups,DC=company,DC=country (The department group)
memberOf CN=ServerAuthorization,OU=Roles,OU=SecurityGroups,DC=company,DC=country
Когда я звоню getent group | grep ServerAuthorization
пользователи (которые напрямую связаны с группой) отображаются нормально. Однако когда я звоню getent group | grep RepositoryAuthorization
они показаны как не имеющие членов. RepositoryAuthorization является членом группы отделов, членами которой являются пользователи. Так что это вложенная группа.
Я предполагаю, что это проблема с моей настройкой sssd. РЕДАКТИРОВАТЬ: похоже, это не проблема направлений вложенности. Похоже, что определенные группы просто не извлекаются SSSD.
Все группы в OU=Roles,OU=Security Groups....
возвращены getent group
. Однако группы в OU=Departments,OU=Security Groups....
не.
Настройки ldap_group_search_base = OU=Security Groups...
и ldap_group_nesting_level = 100
Это журнал для getent group
call (Loglevel 7) мне особенно интересно это:
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
Полный журнал:
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4098][1][*]
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [sdap_handle_acct_req_send] (0x1000): Skipping group enumeration on demand
(Tue Jan 27 15:58:15 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=localUser]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [be_req_set_domain] (0x0400): Changing request domain from [Company.dk] to [Company.dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [ou=Users,ou=Company,dc=Company,dc=dk]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=localUser)(objectclass=user)((null)=*))][ou=Users,ou=Company,dc=Company,dc=dk].
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
(Tue Jan 27 15:58:25 2015) [sssd[be[Company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Init group lookup failed
Судя по журналам, SSSD также жаловался на некорректный фильтр: (&(sAMAccountName=localUser)(objectclass=user)((null)=*))
Похоже, вы используете сопоставление идентификаторов вместе с поставщиком LDAP (не AD), и в этом случае вам необходимо настроить значение ldap_user_objectsid:
ldap_user_objectsid = objectSid
Взгляните еще раз на sssd.conf, который я дал вам на вашем Wheezy SSSD-AD вопрос на StackExchange. Вам нужен ldap_group_nesting_level = 5
запись для включения вложенных групп.