Upgrading sssd 1.14 to 1.15 causes missing groups for some Active Directory users.
Issue
- On sssd-1.14 we can see all group memberships for all AD users e.g. id username@ad.example.com.
- On sssd-1.15 some AD users are fine, some only show one group.
- On sssd-1.16 all AD users only show main group.
- No changes have been made on the sssd configuration file.
When running sssd-1.15 and above, SSSD discovers all the subdomains which caused following two issues:
- Some users have group memberships from domains which are not accessible which causes initgroups request failures.
- There may be possible idmap collision between the domains where groups went missing.
Environment
- Red Hat Enterprise Linux 7
- SSSD
- 1.14
- 1.15
- 1.16
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
