Hide Forgot
Description of problem: I've setup sssd with rhel6.0 and so far, everything works fine, except groups members are missing. 'id <user>' returns only primary group and 'getent group' returns a bunch of groups, ids but no users. So far, it looks like a bug 683158. On my rhel6.4/sssd, when I use 'getent group' I see a bunch of groups and their gid. When I compare them with my actual ldap groups, I realize that it does not show all my groups with gidNumber assigned to them in AD only the local groups. Using the following ldap query I get all AD groups returned. /usr/bin/ldapsearch -Y GSSAPI -N -b "dc=DCI,dc=local" "(&(objectClass=user)(sAMAccountName=userid" Not all groups are Posix enabled but the few that are do not show up with ID or Getent. Only the default unix group as listed unix attributes tab in AD Version-Release number of selected component (if applicable): sssd.x86_64 1.9.2-82.7.el6_4 How reproducible: allways Steps to Reproduce: 1. start the service 2. wait 2-3 seconds... 3. that's it Actual results: 1-groups members in getent,id is wrong. -only shows local groups not AD groups 2-id group membership is wrong. - only shows default AD unix group no other AD Unix groups Expected results: See all AD unix groups Additional info: Here is the sssd.conf file [domain/default] debug_level=9 enumerate = true min_id=501 max_id=0 ldap_id_use_start_tls = False cache_credentials = True krb5_realm = DCI.LOCAL krb5_server = dc01.dci.local id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/dsnap01.dci.local #ldap_uri = ldap://dc01.dci.local ldap_search_base = dc=dci,dc=local ldap_schema = rfc2307bis ldap_user_search_base = dc=dci,dc=local ldap_default_bind_dn= dc=dci,dc=local ldap_user_object_class = user ldap_user_name = uid ldap_user_uid_number= uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ildap_group_object_class = group ldap_group_name = name ldap_group_member = member ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = true ldap_access_order = expire ldap_account_expire_policy = ad ldap_disable_referrals = true krb5_kpasswd = dc01.dci.local ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] config_file_version = 2
Hello Troy, can you post an example of id output? It's not entirely clear to me what do you mean by "local" groups -- groups coming from the root AD domain or groups local to the client machine?
Hi Troy, Any luck getting the info requested in comment #2?
Hi Troy, I won't be able to analyze the problem without the requested information..
As there was no response for over two weeks now, I'm afraid I need to close this bugzilla as INSUFFICIENT_DATA.