SSSD IdP (Entra ID): listing group members does not work

[ondrejv2]

Looks like group enumeration does not work properly:

id -a <user>

unveils all groups correctly, but

getent group <groupname>

mention only the user I discovered in the 1st step.
I guess this is known limitation of the current IdP provider, correct?

I understand the enumeration support in SSSD is deprecated, but I guess this should work

[sumit-bose]

Hi,

the deprecated enumeration support refers to the feature that e.g. getent passwd will return all know users of the system.

Listing the group members with getent group groupname should work. There is the dedicated API permission GroupMember.Read.All, did you add this to your application/client ?

bye,
Sumit

[ondrejv2]

Hi,
Ok I did not have that permission, I've added it to my entra ID app, restarted sssd and it's still the same.
getent group <groupname> does not really work.
Note that running that command I get instant reply, it looks like sssd is not even trying get that info from EntraID.

Note my config:

[domain/renesas.com]
debug_level = 9
id_provider = idp
idp_type = entra_id
idp_client_id = <Tennant id>
idp_client_secret = <secret>
idp_token_endpoint = https://login.microsoftonline.com/<tennantid>/oauth2/v2.0/token
idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
idp_device_auth_endpoint = https://login.microsoftonline.com/<tennantid>/oauth2/v2.0/devicecode
idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
idp_auth_scope = openid profile email
idp_request_timeout = 60
fallback_homedir = /home/%u
default_shell = /bin/bash

Thanks

[alexey-tikhonov]

Can you provide 'sssd_$domain.log'?

[sumit-bose]

Hi,

I removed the log because it might contain sensitive data.

bye,
Sumit

[alexey-tikhonov]

@ondrejv2 , sorry, I didn't expect you won't sanitize log so you now may want to regenerate credentials :-/

[ondrejv2]

Just to summarize the chat with @sumit-bose .
There are two problems:

1. pre-initialized group cache with user lookup - after id -a <username> groups get pre-initialized with just a single member (does not matter if direct on indirect) of the <username> in it.
2. after cache from the 1st step expires, we can actually see the group enumeration works, but only direct group members are listed. Members from the nested groups are ignored.

[joakim-tjernlund]

@ondrejv2 , sorry, I didn't expect you won't sanitize log so you now may want to regenerate credentials :-/

You should not log credentials at all.

[alexey-tikhonov]

@ondrejv2 , sorry, I didn't expect you won't sanitize log so you now may want to regenerate credentials :-/

You should not log credentials at all.

Already fixed - #8332 (part of 'sssd-2.12.0' release).

[ondrejv2]

Already fixed - #8332 (part of 'sssd-2.12.0' release).

Thanks for the fix.
Just to avoid confusion here, the problem this bugreport actually describes still remains.