Hi,
I am having a hard time tracking down an issue with SSSD 1.12.2 on Amazon Linux (Amazon
Linux only recently added SSSD to their yum repository, and 1.12.2 is the highest
available version). My user can authenticate to a Samba 4 directory server, but once
logged in, the “id” or “groups” command only displays the primary group, in this case the
“Domain Users” group:
uid=1115600500(administrator@[domain]) gid=1115600513(domain users@[domain])
groups=1115600513(domain users@[domain])
I want additional group memberships to be displayed so I can do things like allow members
of the Domain Admins group to have sudo access. Via ldapsearch, I can see that my user is
correctly a member of additional groups. If I stop the sssd service, delete files in
/var/lib/sss/mc and /var/lib/sss/db, and restart the service, all the groups are listed
correctly:
uid=1115600500(administrator@[domain]) gid=1115600513(domain users@[domain])
groups=1115600513(domain users@[domain]),1115600512(domain
admins@[domain]),1115600518(schema admins@[domain]),1115600519(enterprise
admins@[domain]),1115600520(group policy creator owners@[domian]),1115600572(denied rodc
password replication group@[domain])
However, as soon as I log out and log back in, the problem occurs again and persists until
I repeat the process of deleting the sssd cached files and restarting sssd. This is my
sssd.conf file:
[sssd]
domains = [domain]
config_file_version = 2
services = nss, pam
[domain/[domain]]
ad_domain = [domain]
krb5_realm = [domain]
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = False
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
An additional issue is that sometimes when I log in, the login process fails to complete.
In the messages log, I see the following:
kernel: [344799.794025] sssd_be[13204]: segfault at 10000 ip 00007f7b73965144 sp
00007ffe53541e70 error 4 in libsss_idmap.so.0.4.0[7f7b73962000+5000]
sssd[be[domain]]: Starting up
However, this does not always happen. I am not sure if this issue is related, but since it
segfaults when calling idmap I suspect they are.
Any ideas on what to do next would be appreciated!