Regression in LDAP sssd provider causes group membership resolution for users on RHEL 7.5

Solution In Progress - Updated -

Issue

Some groups are missing while doing id lookups for LDAP backend users.

e.g. id username on RHEL 7.5 (sssd 1.16)

uid=1205(mattg) gid=5005 groups=5005,3015,3025,3010,3000

On RHEL 7.3 (sssd 1.14)

uid=1205(mattg) gid=5005(Staff) groups=5005(Staff),10(wheel),3015(fuse),3010(vglusers),3000(PowerUser),3025(Singularity)

For this issue to occur, you need to have two domains, of any kind, for example:

[domain/local]
min_id = 1
max_id = 100
id_provider = local

[domain/ldap]
...ldap options as appropriate

The important part is to have multiple domains and have ID limits in the first domain. Then, try to resolve anything by ID from the second domain, just make sure the ID is outside the limit of the first domain. For example, if there is a user with UID 1234 from the LDAP domain, then calling:

$ getent passwd 1234

would fail with the sssd 1.16.0-19

Environment

Red Hat Enterprise Linux 7.5
sssd 1.16.0-19

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content