sssd active directory joined rhel 9.1 server still randomly assigning uid

Posted on

we have a server that we've connected to a domain using:
realm join

it is connected, and users are able to logon. We are having issues with permissions on nfs shares though as the rest of the network uses set uid and gid numbers for users/groups. These are all defined on the active directory user object as attributes. We have the uid and uidnumber defined for all users, and the gid and gidnumber assigned for all groups. This has worked in the past just fine on rhel 8.6 servers using winbind. We dicided to try using sssd on this server as it appears to be the more supported and suggested way to do things. We followed the instructions in the article to use POSIX attributes...

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#using-posix-attributes-defined-in-active-directory_connecting-directly-to-ad

But after clearing the sssd database and restarting sssd service we still get a random uidnumber when querying a user either with "getent passwd user@domain" and with "id user@domain". I've spend hours trying to figure out what we are missing to get sssd to use our defined uidnumber in active directory. Here's our sssd.conf....

[sssd]
domains = abccompany.local
config_file_version = 2
services = nss, pam
default_domain_suffix = ABCCOMPANY.LOCAL
debug_level = 9

[domain/abccompany.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ABCCOMPANY.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = abccompany.local
use_fully_qualified_names = True
ldap_id_mapping = false
access_provider = simple
simple_allow_groups = somegroup
simple_allow_users = someuser

Any suggestions?

AS

Responses