Op 27 jan. 2016, om 17:46 heeft Jakub Hrozek <jhrozek@redhat.com> het volgende geschreven:

On Wed, Jan 27, 2016 at 05:42:02PM +0100, Bolke de Bruin wrote:

Hello,

I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.

One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to 
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:

[root@master centos]# getent group ad_users
ad_users:*:1950000004:

[root@master centos]# id bolke@ad.local
UID=1796201107(bolke@ad.local) GID=1796201107(bolke@ad.local) groepen=1796201107(bolke@ad.local),1796200513(domain users@ad.local),1796201108(test@ad.local)

[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>

If I clear the cache (sss_cache -E) the entry is gone again:

[root@master centos]# getent group ad_users
ad_users:*:1950000004:

My question is how do I get sssd to enumerate *all users* in a group consistently?

Thanks!
Bolke

ad_users is an IPA group that contains an IPA external group that
contains the users, right?

If so, then you're hitting:
   https://fedorahosted.org/sssd/ticket/2522
I've been working on fixing this lately and have some patches, would you
like to test them?