Hi All!

I am running into an issue where groups cannot be resolved upon login. All servers on CentOS 6 work fine, so this is isolated to newer sssd version on CentOS 7.

[user@snoopy ~]$ id
uid=100001012(user) gid=1001 groups=1001,10(wheel),1102

[user@snoopy ~]$ getent -s sss passwd user
user:*:100001012:1001:User Name:/home/user:/bin/bash

However, a quick lookup against the group:

[user@snoopy ~]$ getent -s sss group security
security:*:1001:user

Subsequent id lookup works:

[user@snoopy ~]$ id
uid=100001012(user) gid=1001(security) groups=1001(security),10(wheel),1102


Sudo also complains about the user, even after above command succeeds

[user@snoopy ~]$ sudo su -
sudo: unknown uid 100001012: who are you?


A few seconds later sudo is no longer confused:

[user@snoopy ~]$ sudo su -
LDAP OnePassword for user:
root@snoopy[~]#


SSSD config:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh
# BOUNCE DEV
domains = LOCAL, HOSTOPIA, DOMAIN1, DOMAIN2, DOMAIN3

[nss]
filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,hdeploy,influxdb,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,osse
c,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,hdeploy,influxdb,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprof
ile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video


[pam]
debug_level = 0
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password.

[sudo]
debug_level = 0

[ssh]
# debug_level = 0


[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail


All domains have the following options set:

######### SECTION: HOSTOPIA
[domain/HOSTOPIA]
min_id = 499
debug_level = 0
cache_credentials = True
entry_cache_timeout = 864000

auth_provider = ldap
id_provider = ldap
access_provider = ldap
chpass_provider = none
sudo_provider = ldap
selinux_provider = none
autofs_provider = none
hostid_provider = none

ldap_use_tokengroups = false

# https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
#ignore_group_members=True

lookup_family_order = ipv4_only

# LDAP Search
ldap_search_base = dc=hostopia,dc=com
ldap_group_search_base = ou=groups,o=Hostopia,dc=hostopia,dc=com?subtree?(|(cn=almighties)(cn=security)(cn=systems)(cn=bounce-development)(cn=development-wholesale)(cn=development-retail)(cn=abuse))
ldap_user_search_base = ou=users,o=hostopia,dc=hostopia,dc=com?subtree?(|(description=cn=bounce-development,ou=groups,o=Hostopia,dc=hostopia,dc=com)(description=cn=almighties,ou=groups,o=Hostopia,dc=hostopia
,dc=com)(description=cn=security,ou=groups,o=Hostopia,dc=hostopia,dc=com))

# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307bis

ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

# Ldap Servers
ldap_uri = ldaps://SERVER1, ldaps://SERVER2, ldaps://SERVER3
ldap_backup_uri = ldaps://1.1.1.1

ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = ****
ldap_default_authtok = ******

ldap_user_ssh_public_key = sshPublicKey

ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire   = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))

ldap_chpass_update_last_change = false

ldap_access_order = filter, expire
ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=bounce-development,ou=groups,o=Hostopia,dc=hostopia,dc=com)(description=cn=almighties,ou=groups,o=Hosto
pia,dc=hostopia,dc=com)(description=cn=security,ou=groups,o=Hostopia,dc=hostopia,dc=com)))

# SUDO
ldap_sudo_search_base = ou=sudoers,o=Hostopia,dc=hostopia,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400

#####  END DOMAIN SECTION  #####