3

We have sssd configuration as follows:

id_provider = ad
auth_provider = krb5
access_provider = ldap
enumerate = false
ignore_group_members = true;

As you can see, we are not enumerating users and groups and hence, getent passwd and getent group doesn't show the users and groups from ad.

Now, I want to understand how id -a <aduser> command shows the user and it's groups. I understand that it does realtime fetch for the given username or retrieve from sssd cache. But I want to know exactly what tells id command to fetch this info from sssd.

Some background info for my question:

I am trying to setup ldap authentication in our mysql 5.6 community server and for that I am using auth_pam.so which I copied from percona server of my local VM.

I have created a proxy user: ad_dba and mapped with ldap group: mysql_dba And I created the following pam service:

# cat /etc/pamd./mysqld
#%PAM-1.0
auth    include  password-auth audit
account include password-auth audit

So, my auth_string is as follows: mysqld, ad_dba=mysql_dba

Now, I gave complete privileges to the proxy user: ad_dba

However, I can only authenticate with my ad usera but doesn't have any privileges. My understanding is that the group mapping doesn't work.

I am not sure how mysql checks user group members. I am trying to see if I can add a specific module in PAM just to retrive this group info.

EDIT-1:

I see from source code, that the mysql plugin is using built-in linux functions getgrouplist and getgrgid_r:

So, I must find a way to list my required groups and users in groups database or change the code and recompile. My question has become irrevalent now to this issue. But I am still eager to find out how id gets this info.

muru
  • 69,900
  • 13
  • 192
  • 292
GP92
  • 775
  • 6
  • 15
  • 31
  • The `id` command get the the numeric groups via the `getgroups(2)` system call, then maps them to names via `getgrgid(3)`, `getgrent(3)` or similar (which in a default conf will just look them up in `/etc/groups`). Please tidy up your question -- is it about `id`, ldap auth, pam, mysql, whatever else? –  Apr 17 '20 at 05:13
  • @muru `id` is a [standard utility](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/id.html), the coreutils implementation is not the only one. –  Apr 17 '20 at 07:24
  • pretty sure this question is about the coreutils one. – muru Apr 17 '20 at 07:38
  • @muru there's no indication whatsoever that the OP is interested in extensions specific to GNU (coreutils) `id`, like its `-Z` or `-z` options. Please slow down a bit on your pointless crusade against users creating new tags, as they're allowed and supposed to do. –  Apr 17 '20 at 07:45
  • Eh, whatever. Sure they're allowed to, but I don't see a point in creating tags nobody will follow or use for filtering. – muru Apr 17 '20 at 08:01
  • and even if a tag for the id command were useful, it should be unambiguous. `id` can mean a lot of things - tag should be clear that it's for the command. – muru Apr 17 '20 at 08:12
  • @muru Those are just your opinions. The [coreutils] tag is irrelevant, you should stop slapping it. Leave the Q as it is until the OP clarifies it. –  Apr 17 '20 at 11:39

2 Answers2

1

The id command gets the group information from the same source as getent group: by asking the C library, which then looks at the group line of /etc/nsswitch.conf and uses the functions in the corresponding libnss_<name>.so library or libraries to get the answer.

PAM libraries will not be used at all here.

For example, in your situation, nsswitch.conf should say at least:

passwd: files sss
group: files sss

which would make the C library first make the query using libnss_files.so (which will look into /etc/passwd and /etc/group), and if the answer is not found there, then with libnss_sss.so (which will ask sssd).

All the username/group lookup mechanisms in the GNU C library (glibc) use this mechanism, so both the id command and MySQL will eventually end up using the same sources of information.

But in your case, your nsswitch.conf might contain just files (or compat) on the passwd and group lines. You should check your nsswitch.conf file and add sss in there if necessary.

telcoM
  • 87,318
  • 3
  • 112
  • 232
0

id uses the some core utilities to get the information. If you look at id.c you can see that it includes the file mgetgroups.h and calls a function xgetgroups, which calls mgetgroups... if you keep chasing you can track down the functions that get called and where they get included from. Basically there are system calls to retrieve the pertinent information from the group database which, in theory, gets built using the nsswitch.conf information to construct the db from sources specified in the "group: " line.

Fubar
  • 791
  • 3
  • 10