What is the appropriate usage of these scripts? Should I run "stap
nested_group_perf.stp" and in another terminal run id $username or su - $username ?.
Also I have setup a new Fedora 24 VM with sssd 1.14.2. I am not sure what is going on,
but there appears to be some issues with group lookups and now it is affecting sudo. I
have not encountered these issues on Ubuntu 16.04 with sssd 1.13 so far.
1. Adding an AD group, say, MY.DOMAIN\\linuxadmins, to /etc/sudoers,
"%MY.DOMAIN\\linuxadmins ALL=(ALL) ALL" does not allow group members to elevate
privileges. I have verified the users are in the group via id, and I have verified the
group contains the users via "getent group MY.DOMAIN\\linuxadmins". However
simply adding the users directly to /etc/sudoers allows elevation.
2. Users are not seen as members of groups after attempting to elevate with sudo. As in id
and getent group no longer show the user as belonging to that group.
I also noticed the following error from systemctl status sssd (potentially same as
"Nov 21 10:25:00 fc24-vm.my.domain sssd[nss]: More groups have the same GID
in directory server. SSSD will not work correctly."
This appears to be resolved by modifying ldap_idmap settings. For example:
I am now very concerned that 1.14 means I cannot use sssd for non-graphical environments
if sudo cannot find group members.