On Wed, Aug 31, 2016 at 04:36:58AM -0000, Daniel Hermans wrote:
Thanks Jakub,
I added as you suggested and can login! Thanks so much! Couldn't find this option in man pages etc..what does this magic flag do exactly?
Ooops, I'm sorry, this is a manpage bug. I will fix the man pages.. (I'm not sure if it makes sense to document the option in full or just document that this needs to be set for id mapping with LDAP..)
It's an attribute used purely for ID mapping with AD and normally it corresponds to https://msdn.microsoft.com/en-us/library/ms679375(v=vs.85).aspx
the primary group ( a mash of some large number with 513 on the end - Domain Users ) is coming up numeric - would you recommend a local /etc/group entry to deal with this?
Hmm, strange, this doesn't happen in my setup. If you run "sss_cache -E" and then "getent group $number", you should see SSSD converting the GID to SID and searching the SID on the AD side, does that emit some errors in the log?