Upgrading sssd 1.14 to 1.15 causes missing groups for some Active Directory users.
Issue
- On sssd-1.14 we can see all group memberships for all AD users e.g.
id username@ad.example.com
. - On sssd-1.15 some AD users are fine, some only show one group.
- On sssd-1.16 all AD users only show main group.
- No changes have been made on the sssd configuration file.
When running sssd-1.15 and above, SSSD discovers all the subdomains which caused following two issues:
- Some users have group memberships from domains which are not accessible which causes initgroups request failures.
- There may be possible idmap collision between the domains where groups went missing.
Environment
- Red Hat Enterprise Linux 7
- SSSD
- 1.14
- 1.15
- 1.16
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.