On Tue, Mar 17, 2015 at 02:48:25PM +0100, Domenico Viggiani wrote:
-----Original Message----- So far it looks like a bug in SSSD. Are you using ID mapping? (ldap_id_mapping either True or unset).
# cat /etc/sssd/sssd.conf
[sssd] domains = MYDOMAIN.COM config_file_version = 2 services = nss, pam default_domain_suffix= MYDOMAIN.COM debug_level = 7
[pam] debug_level = 7
[domain/MYDOMAIN.COM] ad_domain = MYDOMAIN.COM krb5_realm = MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True # use_fully_qualified_names = True fallback_homedir = /home/AD/%u override_homedir = /home/AD/%u access_provider = simple simple_allow_groups = ITAD debug_level = 7
Then I'm 100% sure we have a bug. The group shouldn't have the non-posix flag after it was updated.
Can you tell us anything about this group: (Mon Mar 16 16:57:52 2015) [sssd[be[MYDOMAIN.COM]]] [sdap_save_group] (0x1000): Mapping group [Organigramma] objectSID [S-1-5-21-2248061571-2151176789-1472819363-28039] to unix ID
Is it from the same domain? What type does the group have?