On (18/12/14 22:55), John Beranek wrote:
OK, so all the workaround config changes are either useless or
we're still left with the problem. I can provide logs, but I'd rather not
provide them publicly as they provide too many internal details I'd think...
We join computers to the domain using "kinit <domain_admin_user> && net
The Red Hat support engineer had me enable debug in various SSSD sections,
and also provide the output from ldbsearch.
Just for the record if anybody else have the same issue.
I exchanged many emails with John about this bug and we found out
this bug is not related to togengroups at all. The problem is with processing
nested groups. They have many groups and complicated structure.
We was able to get some groups with "ldap_group_nesting_level = 1".
It is not solution because they need use at least default nesting level (2)
The processed nested groups are stored in wrong state:
some groups have gidNumber 0 and contains some members.
ldbsearch -H var/lib/sss/db/cache_domain.ldb "(&(gidNumber = 0)(member =
BTW togengroups was not used because Windows Server 2003 Functional Level
was used and default version of sssd in el6.6 requires
Windows Server 2008 Functional Level for tokengroups.