Regression in LDAP sssd provider causes group membership resolution for users on RHEL 7.5
Issue
Some groups are missing while doing id lookups for LDAP backend users.
e.g. id username on RHEL 7.5 (sssd 1.16)
uid=1205(mattg) gid=5005 groups=5005,3015,3025,3010,3000
On RHEL 7.3 (sssd 1.14)
uid=1205(mattg) gid=5005(Staff) groups=5005(Staff),10(wheel),3015(fuse),3010(vglusers),3000(PowerUser),3025(Singularity)
For this issue to occur, you need to have two domains, of any kind, for example:
[domain/local]
min_id = 1
max_id = 100
id_provider = local
[domain/ldap]
...ldap options as appropriate
The important part is to have multiple domains and have ID limits in the first domain. Then, try to resolve anything by ID from the second domain, just make sure the ID is outside the limit of the first domain. For example, if there is a user with UID 1234 from the LDAP domain, then calling:
$ getent passwd 1234
would fail with the sssd 1.16.0-19
Environment
Red Hat Enterprise Linux 7.5
sssd 1.16.0-19
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.