On Tue, Apr 11, 2017 at 04:39:49PM -0600, Joshua Schaeffer wrote:
Wondering if somebody can help me decipher why I don't get a
anything back
when I run a getent group command, but in the SSSD logs I see that SSSD
finds a group in Active Directory. I'm running this command, which returns
nothing.
root@ultralisk:~# getent group 'WINNT\Domain Admins'
When I run that command, two SSSD logs get updated; my domain's log
(sssd_WINNT.log) and the nss service log (sssd_nss.log). In the domain log
I get the following
[...]
Here is the reason:
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
setting GID=0!
So the group was found and saved, but SSSD decided the group is not
eligible to be returned for the OS. This could be because SSSD filtered
the group type (domain-local groups from trusted domains are filtered)
or because the sssd is configured to use POSIX attributes, but the
object doesn't have them.
Increasing the debug_level some more would show more messages,