hi,

I found this: https://access.redhat.com/solutions/2261041

which looks like what I am seeing at my end. In /etc/krb5.conf in [libdefaults]
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

and If I look at my user object in AD using ldapsearch, i see

primaryGroupID: 513

which looks like the right one for 'Domain Users'.


On Fri, Dec 4, 2020 at 12:42 PM Natxo Asenjo <natxo.asenjo@gmail.com> wrote:

hi,

let's see:

server:
~]$ getent group 'Domain Users@ad.local'
domain users@ad.local:*:1576200513:userx@ad.local
~]$ getent group 1576200513
domain users@ad.local:*:1576200513:userx@ad.local

I tried before and the list came back empty (no users, but gid could be resolved though), now one user (there are at least a few hundreds).


idm client:
$ getent group 'Domain Users@ad.local'
$ getent group 1576200513

So the client gets nothing back indeed. After logging in, I get an error in the shell: "/usr/bin/id: cannot find name for group ID 1576200513", so this seems related (was already wondering about this too).

and in the attachment the sssd_domain log file.

Thanks!

--
regards,
Natxo


--
--
Groeten,
natxo