Hi,
I've been investigating problems with the SSSD 1.11 versions supplied in RHEL/CentOS 6.6 for a while now. I've followed:
https://access.redhat.com/solutions/1264443 https://fedorahosted.org/sssd/ticket/2472
and also created a case with Red Hat support. However, I'm still no closer to solving the issue.
After updating servers to the SSSD in 6.6, intermittently (for particular users but not on all servers, and not necessarily all the time) users don't get their supplementary groups. e.g:
[root@rhel6-template sssd]# id matthewbe uid=46721(matthewbe) gid=20513(domain users) groups=20513(domain users)
This is with the latest SSSD on a RHEL6.6 server, i.e.:
sssd-1.11.6-30.el6_6.3.x86_64
Our environment is Windows 2003 AD controllers, and users *without* POSIX attributes in their AD records. So, snippets of sanitised sssd.conf:
[domain/AD] debug_level = 9 id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad
ad_server = dc01.local,dc02.local ad_backup_server = ad.local ad_domain = ad.local
# ID mapping min_id = 20000 ldap_idmap_range_min = 20000 #ldap_idmap_range_max = 220000 ldap_idmap_range_size = 200000 ldap_idmap_default_domain_sid = S-1-5-21-2365159532-2245169678-2931239768 ldap_schema = ad ldap_id_mapping = true override_homedir = /home/AD/%u override_shell = /bin/bash
# access controls ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
# performance ldap_referrals = false
I've tried a few config changes to fix the issue, but none has fixed it, including:
ldap_use_tokengroups = False ldap_group_objectsid = objectSID ldap_user_objectsid = objectSID ldap_deref_threshold = 0 ldap_schema = rfc2307bis
Given Red Hat support hasn't been able to fix our issue, what else can I do?
Cheers,
John
sssd-users@lists.fedorahosted.org