Hi

"getent group <name>" does not give any output at all.

However "getent passwd" looks correctly up in the AD:

$ getent passwd zmir2
zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash

$ grep -c ^zmir2 /etc/passwd
0

nsswitch looks fine:

$ egrep "^(group|passwd)" /etc/nsswitch.conf
passwd:     files sss
group:      files sss

SSO is working fine with both ssh and samba share.

$ realm list

foo.org
  type: kerberos
  realm-name: FOO.ORG
  domain-name: foo.org
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-any-login
foo.org
  type: kerberos
  realm-name: FOO.ORG
  domain-name: foo.org
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins

# cat /etc/sssd/sssd.conf

[sssd]
domains = foo.org
config_file_version = 2
services = nss, pam
[domain/foo.org]
ad_domain = foo.org
krb5_realm = FOO.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

All on Red Hat 7.6.

The goal is to use an AD group in a samba share but it obviously does not lookup groups in the AD, only specific users.

--