Hi, I was wondering if anyone has successfully fixed this.

I'm working on upgrading servers and client machines, and any time I use a newer SSSD package I'm unable to get groups for the users when they log in. (This is  SSSD 1.16.1 on ubt18.04).

The problem can be summed up as,
root@ubt18-test:# sssd --version
1.16.1
root@ubt18-test:# groups user1
user1 : groups: cannot find name for group ID 33111
33111 groups: cannot find name for group ID 33118
33118

root@ubt18-test:# getent group | grep 33111
unix_users:*:33111:

root@ubt18-test:# groups user2
user2 : groups: cannot find name for group ID 33111
33111

root@ubt18-test:# su user2
groups: cannot find name for group ID 33111

user2@ubt18-test:$ groups
groups: cannot find name for group ID 33111
33111
--
root@ubt18-test:# getent group unix_users
unix_users:*:33111:

root@ubt18-test:# groups user2
user2 : unix_users

root@blair-ubt18-test:/var/log/sssd# groups user1
user1 : unix_users groups: cannot find name for group ID 33118
33118


This is an odd sequence of events, but notice that I can't get the group for a given user. It shows up only as GID. However, that GID _is_ listed in the output of `getent group`, so it's there, the system can see it, and SSSD is aware of it. Trying again, that gid still won't map to a name when I get the user's groups.

The odd part is that if I get the group specifically (`getent group unix_users`), then the mapping for that group thereafter succeeds. Does anyone know what's going on? Of course, everything is working as expected with an earlier version -- 1.13.4.

The only fix that I've seen is to recreate every LDAP group in the local groups file, but that seems contrary to the point of using LDAP. I'd like to avoid it.

/etc/nsswitch.conf:
#passwd:         compat systemd sss
#group:          compat systemd sss
passwd:         compat sss
group:          compat sss
# it's the same with/without systemd

/etc/sssd/sssd.conf:
[domain/LOCAL]
enumerate = True
id_provider = local
max_id = 9999
min_id = 1000

[domain/MYDOMAIN]
access_provider = simple
auth_provider = krb5
debug_level = 0xFF0
cache_credentials = True
chpass_provider = krb5
enumerate = True
id_provider = ldap
krb5_kpasswd = core-dc1.mydomain.cxm
krb5_realm = mydomain.cxm
krb5_renewable_lifetime = 7d
krb5_server = core-dc1.mydomain.cxm
ldap_default_authtok = thepassword
ldap_default_authtok_type = password
ldap_default_bind_dn = cn=LDAP Bind,ou=ServiceAccounts,ou=_MyDomain,dc=mydomain,dc=cxm
ldap_group_object_class = group
ldap_group_search_base = OU=_MyDomain,DC=MYDOMAIN,DC=CXM
ldap_search_base = DC=MYDOMAIN,DC=CXM
ldap_tls_reqcert = never
ldap_uri = ldap://core-dc1.mydomain.cxm
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_search_base = OU=_MyDomain,DC=MYDOMAIN,DC=CXM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 50

[pam]
pam_verbosity = 3
reconnection_retries = 50

[sssd]
config_file_version = 2
debug_level = 0xFF0
domains = LOCAL, MYDOMAIN
reconnection_retries = 50
sbus_timeout = 5
services = nss, pam