What is the appropriate usage of these scripts? Should I run "stap nested_group_perf.stp" and in another terminal run id $username or su - $username ?.
Also I have setup a new Fedora 24 VM with sssd 1.14.2. I am not sure what is going on, but there appears to be some issues with group lookups and now it is affecting sudo. I have not encountered these issues on Ubuntu 16.04 with sssd 1.13 so far.
1. Adding an AD group, say, MY.DOMAIN\linuxadmins, to /etc/sudoers, "%MY.DOMAIN\linuxadmins ALL=(ALL) ALL" does not allow group members to elevate privileges. I have verified the users are in the group via id, and I have verified the group contains the users via "getent group MY.DOMAIN\linuxadmins". However simply adding the users directly to /etc/sudoers allows elevation.
2. Users are not seen as members of groups after attempting to elevate with sudo. As in id and getent group no longer show the user as belonging to that group. I also noticed the following error from systemctl status sssd (potentially same as fedorahosted.org/sssd/ticket/2982):
"Nov 21 10:25:00 fc24-vm.my.domain sssd[nss][729]: More groups have the same GID [965793034]in directory server. SSSD will not work correctly."
This appears to be resolved by modifying ldap_idmap settings. For example:
ldap_idmap_range_min=100000 ldap_idmap_range_max=2000100000 ldap_idmap_range_size=2000000000
I am now very concerned that 1.14 means I cannot use sssd for non-graphical environments if sudo cannot find group members.