On (17/12/14 20:54), John Beranek wrote:
I've been investigating problems with the SSSD 1.11 versions supplied in
RHEL/CentOS 6.6 for a while now. I've followed:
and also created a case with Red Hat support. However, I'm still no closer
to solving the issue.
After updating servers to the SSSD in 6.6, intermittently (for particular
users but not on all servers, and not necessarily all the time) users don't
get their supplementary groups. e.g:
[root@rhel6-template sssd]# id matthewbe
uid=46721(matthewbe) gid=20513(domain users) groups=20513(domain users)
This is with the latest SSSD on a RHEL6.6 server, i.e.:
Our environment is Windows 2003 AD controllers, and users *without* POSIX
attributes in their AD records. So, snippets of sanitised sssd.conf:
debug_level = 9
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = dc01.local,dc02.local
ad_backup_server = ad.local
ad_domain = ad.local
# ID mapping
min_id = 20000
ldap_idmap_range_min = 20000
#ldap_idmap_range_max = 220000
ldap_idmap_range_size = 200000
ldap_idmap_default_domain_sid = S-1-5-21-2365159532-2245169678-2931239768
ldap_schema = ad
ldap_id_mapping = true
override_homedir = /home/AD/%u
override_shell = /bin/bash
# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_referrals = false
I've tried a few config changes to fix the issue, but none has fixed it,
ldap_use_tokengroups = False
ldap_group_objectsid = objectSID
ldap_user_objectsid = objectSID
ldap_deref_threshold = 0
ldap_schema = rfc2307bis
I want just wrote a summary of long off the list discussion.
We exchanged many log files and tested lot of packages.
Thank you very much John for cooperation.
John's initial problem with missing supplementary groups was resolved
after some changes on AD side. But there were sill some missing groups.
We tested never version off sssd with enabled and disabled tokengrops.
sssd-1.12 with enabled tokengroups
[user@host tmp]# id -G matthewbe | perl -pi -e 's/ /\n/g'|wc -l
sssd-1.9 (rhel 6.5) or (sssd-1.12 with disabled tokengroups)
[user@host]$ id -G matthewbe | perl -pi -e 's/ /\n/g'|wc -l
The "workaround" with disabled tokengroups was actually a bug .
Sumit implemented filtering of "Distributions groups" 
as part of ticket. It did not work with disabled tokengrous due to bug.
Even thought im might look like regression from sssd-1.9 (less supplementary
groups). It is by design. The "workaround" will not work with sssd >= 1.12.5
which will be released very soon.
Technet site says:
"Distribution groups are not security-enabled, which means that
they cannot be listed in discretionary access control lists (DACLs)."