Here is my domain section … reproducible every time if i clear the
sssd cache.
[domain/default]
debug_level = 9
id_provider = ad
auth_provider = ad
access_provider = ldap
chpass_provider = ad
ad_domain =
dhe.duke.edu
ldap_search_base = DC=dhe,DC=duke,DC=edu
ldap_idmap_default_domain =
dhe.duke.edu
ldap_sasl_mech = GSSAPI
ldap_user_principle = workAround
ldap_account_expire_policy = ad
ldap_access_order = expire
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
ldap_force_upper_case_realm = True
ldap_user_search_base =
DC=dhe,DC=duke,DC=edu?subtree?(memberOf=CN=BIAC-Users,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)
ldap_idmap_default_domain_sid = REMOVED
ldap_tls_reqcert = never
case_sensitive = False
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 3600
krb5_ccachedir = /mnt/cluster_dhe/clustertmp/common/krb5ccache
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
ldap_account_expire_policy = ad
krb5_realm =
DHE.DUKE.EDU
#these will go away with IDMU uid
ldap_idmap_range_size = 20000000
ldap_idmap_range_min = 0
ldap_idmap_range_max = 2000000000
min_id = 500
override_gid = 197250
cache_credentials = True
ignore_group_members = True
You can have a different problem caused by enabled id-mapping and
ignore_group_members in the same time.
@see
The second execution of "id user" does not return supplementary groups.
The workaround is to disable tokengroups for that domain
man sssd.conf -> ldap_use_tokengroups
LS