On Wed, Apr 12, 2017 at 1:26 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
[...]

Here is the reason:

>     (Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
> [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
> setting GID=0!

So the group was found and saved, but SSSD decided the group is not
eligible to be returned for the OS. This could be because SSSD filtered
the group type (domain-local groups from trusted domains are filtered)
or because the sssd is configured to use POSIX attributes, but the
object doesn't have them.

Increasing the debug_level some more would show more messages,

Thanks Jakub. I have the debug_level at 8 right now. I was wary of turning it to 9 as that may have outputted a lot of trace messages, but I could definitely try that and see what messages I get. Should I configure this domain to not use POSIX attributes? Is that a wise decision and/or recommended? What settings controls this? I've currently read through the man pages for sssd.conf, sssd-ldap, sssd-krb5, and sssd-ad. Would you recommend any other man pages or documentation? Here is my complete sssd.conf file:

    root@ultralisk:/var/log/sssd# cat /etc/sssd/sssd.conf
    #########################
    # GENERAL SSSD SETTINGS #
    #########################
    [sssd]
    debug_level = 8
    config_file_version = 2
    services = nss,pam
    domains = HARMONYWAVE,WINNT
    re_expression = (?P<name>[^@]+)@(?P<domain>.+$)

    [nss]
    debug_level = 8
    filter_users = root
    filter_groups = root
    #fallback_homedir = /home/%u

    [pam]
    debug_level = 8
    pam_verbosity = 1
    pam_pwd_expiration_warning = 10

    #@@@@@@@@@@@@@@@@@@@@#
    #@ HARMONYWAVE DOMAIN SETTINGS @#
    #@@@@@@@@@@@@@@@@@@@@#
    [domain/HARMONYWAVE]
    debug_level = 8
    cache_credentials = false
    pwd_expiration_warning = 10

    #########################
    # HARMONYWAVE PROVIDERS #
    #########################
    auth_provider = krb5
    id_provider = ldap
    access_provider = simple
    chpass_provider = krb5
    sudo_provider = ldap

    #################################
    # HARMONYWAVE KERBEROS SETTINGS #
    #################################
    krb5_server = immortal.harmonywave.com
    krb5_realm = HARMONYWAVE.COM

    #############################
    # HARMONYWAVE LDAP SETTINGS #
    #############################
    ldap_uri = ldap://baneling.harmonywave.com
    ldap_schema = rfc2307bis
    ldap_search_base = dc=harmonywave,dc=com
    ldap_user_search_base = ou=People,dc=harmonywave,dc=com
    ldap_group_search_base = ou=Group,dc=harmonywave,dc=com
    ldap_sudo_search_base = ou=SUDOers,dc=harmonywave,dc=com
    ldap_user_object_class = posixAccount
    ldap_user_name = uid
    ldap_user_home_directory = homeDirectory
    ldap_group_object_class = posixGroup
    ldap_group_name = cn
    ldap_group_nesting_level = 4
    ldap_fullname = cn
    ldap_tls_reqcert = demand
    ldap_tls_cacert = /etc/ssl/certs/ca.harmonywave.com.pem
    ldap_id_use_start_tls = true
    ldap_sasl_mech = GSSAPI
    ldap_pwd_policy = mit_kerberos

    #@@@@@@@@@@@@@@@@#
    #@ WINNT DOMAIN SETTINGS @#
    #@@@@@@@@@@@@@@@@#
    [domain/WINNT]
    debug_level = 8
    use_fully_qualified_names = true
    re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
    dns_discovery_domain = winnt.harmonywave.com

    ###################
    # WINNT PROVIDERS #
    ###################
    auth_provider = ad
    id_provider = ad
    access_provider = ad
    sudo_provider = none

    #####################
    # WINNT AD SETTINGS #
    #####################
    ad_domain = winnt.harmonywave.com
    ad_server = _srv_, firebat.winnt.harmonywave.com
    override_homedir = /home/%d/%u
    dyndns_update = false

Thanks,
Joshua Schaeffer