Below is a writeup of missing AD groups for accounts when using tokengroups.  When not using tokengroups, sssd is rock solid.  

Yes, most of the missing AD groups are universal or global groups -- but not all!  For some accounts, even domain-local AD groups are missed from their group memberships.  (when using tokengroups).

Missing group memberships with sssd (when using tokengroups):

 

July,  2018.

 

Cross-subdomain AD authentication partially working.  (fully working with ldap_use_tokengroups = False)

 

When set ldap_use_tokengroups = True, some AD groups for some accounts missing.   Full details below.

 

Test server is in AMER.DELL.COM

 

Accounts and their missing AD group memberships (when ldap_use_tokengroups = True)

 

AdmJesse_Chan  (account resides in APAC.DELL.COM)

 

tokengroups-enabled SSSD reports membership in:

 

        uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1008(apacunixusers),1000(apaclinuxeng),1001(apaclinuxsup)

 

 

vas-enabled Linux server reports membership in:

 

        uid=525641(admjesse_chan) gid=525641(admjesse_chan) groups=525641(admjesse_chan),1000(apaclinuxeng),1001(apaclinuxsup),1008(apacunixusers),1041(linux-core-engineering),1069(users)

 

diff is:

        1041(linux-core-engineering),1069(users)

 

Both are AMER-only "local domain" groups.

        linux-core-engineering is a AMER-only "domain local" group with GID 1041.

 

        And actually, admjesse_chan is a member of 'users', but that's an APAC.DELL.COM domain AD group (that's not unix-enabled).

        VAS is (mistakenly) reporting Jesse as a member of the AMER.DELL.COM 'users' group, which has a GID of 1069.

 

 

AdmPaulBowen  (account resides in EMEA.DELL.COM)

 

tokengroups-enabled SSSD reports membership in:

   uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1009(emeaunixusers)

 

vas-enabled Linux server reports membership in:

 

   uid=2103156(admpaul_bowen) gid=2103156(admpaul_bowen) groups=2103156(admpaul_bowen),1153(emea_server_mgmt),1005(emealinuxsup),1009(emeaunixusers)

 

diff is:

   1153(emea_server_mgmt),1005(emealinuxsup),

 

EMEA_SERVER_MGMT is a universal AD group. with GID 1153.

EMEALINUXSUP is  a universal AD group. with GID 1005.

EMEAUNIXUSERS is a global AD group.  with GID 1009.

 

AdmDennis_Kennedy  (account resides in EMEA.DELL.COM)

 

tokengroups-enabled SSSD:

        uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1009(emeaunixusers)

vas:

        uid=2890335(admdennis_kennedy) gid=2890335(admdennis_kennedy) groups=2890335(admdennis_kennedy),1153(emea_server_mgmt),1004(emealinuxeng),1009(emeaunixusers),1041(linux-core-engineering)

 

diff:

        1153(emea_server_mgmt),1004(emealinuxeng),1041(linux-core-engineering)

 

EMEA_SERVER_MGMT is a universal AD group. with GID 1153.

EMEALINUXENG is  a universal AD group. with GID 1003.

linux-core-engineering is a AMER-only "domain local" group with GID 1041.

 

 

AdmSpike_White (account resides in AMER.DELL.COM)

 

tokengroups-enabled SSSD:

        uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng)

vas:

        uid=2025431(admspike_white) gid=2025431(admspike_white) groups=2025431(admspike_white),1002(amerlinuxeng),1041(linux-core-engineering),1069(users)

diff:

        1041(linux-core-engineering),1069(users)

 

linux-core-engineering is a AMER-only "domain local" group with GID 1041.

users is an AMER-only "builtin local" group with GID 1069.

 

 

AdmCesar_Guillen (account found in AMER.DELL.COM)

 

NOTE:  AdmCesar_Guillen is found in AMERICAS.

 

tokengroups-enabled SSSD:

        uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1010(amerunixusers)

 

vas:

        uid=2669411(admcesar_guillen) gid=2669411(admcesar_guillen) groups=2669411(admcesar_guillen),1033(amer_server_mgmt),1002(amerlinuxeng),1010(amerunixusers),2284031(esg_bios_code_rw)

diff:

        1033(amer_server_mgmt),1002(amerlinuxeng),2284031(esg_bios_code_rw)

 

amer_server_mgmt is an AMER global group with GID 1033.  <--- why is sssd not reporting this?!?

amerlinuxeng is a universal AD group with GID 1002.  <---------- why is sssd not reporting this?!?  It's reported for AdmSpike_White, but not for AdmPatrick_Wheeler or AdmCesar_Guillen.

esg_bios_code_rw is a universal AD group with GID 2284031.  <---------- why is sssd not reporting this?!?

 

 

Admpatrick_wheeler (account resides in AMER.DELL.COM)

 

tokengroups-enabled SSSD:

uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1010(amerunixusers)

 

tokengroups-disabled SSSD:

uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)

 

vas:

uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler) groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)

 

diff is:

1033(amer_server_mgmt)

1003(amerlinuxsup)

 

amer_server_mgmt is an AMER global group with GID 1033.  <--- why is sssd not reporting this?!?

amerlinuxsup is an AMER universal group with GID 1003.

 

 

Here is my /etc/sssd/sssd.conf file: