Upgrading sssd 1.14 to 1.15 causes missing groups for some Active Directory users.

Solution Verified - Updated -

Issue

  • On sssd-1.14 we can see all group memberships for all AD users e.g. id username@ad.example.com.
  • On sssd-1.15 some AD users are fine, some only show one group.
  • On sssd-1.16 all AD users only show main group.
  • No changes have been made on the sssd configuration file.

When running sssd-1.15 and above, SSSD discovers all the subdomains which caused following two issues:

  • Some users have group memberships from domains which are not accessible which causes initgroups request failures.
  • There may be possible idmap collision between the domains where groups went missing.

Environment

  • Red Hat Enterprise Linux 7
  • SSSD
    • 1.14
    • 1.15
    • 1.16

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In