I've been investigating problems with the SSSD 1.11 versions supplied in RHEL/CentOS 6.6 for a while now. I've followed:


and also created a case with Red Hat support. However, I'm still no closer to solving the issue.

After updating servers to the SSSD in 6.6, intermittently (for particular users but not on all servers, and not necessarily all the time) users don't get their supplementary groups. e.g:

[root@rhel6-template sssd]# id matthewbe
uid=46721(matthewbe) gid=20513(domain users) groups=20513(domain users)

This is with the latest SSSD on a RHEL6.6 server, i.e.:


Our environment is Windows 2003 AD controllers, and users *without* POSIX attributes in their AD records. So, snippets of sanitised sssd.conf:

debug_level = 9
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_server = dc01.local,dc02.local
ad_backup_server = ad.local
ad_domain = ad.local

# ID mapping
min_id = 20000
ldap_idmap_range_min = 20000
#ldap_idmap_range_max = 220000
ldap_idmap_range_size = 200000
ldap_idmap_default_domain_sid = S-1-5-21-2365159532-2245169678-2931239768
ldap_schema = ad
ldap_id_mapping = true
override_homedir = /home/AD/%u
override_shell = /bin/bash

# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# performance
ldap_referrals = false

I've tried a few config changes to fix the issue, but none has fixed it, including:

ldap_use_tokengroups = False
ldap_group_objectsid = objectSID
ldap_user_objectsid = objectSID
ldap_deref_threshold = 0
ldap_schema = rfc2307bis

Given Red Hat support hasn't been able to fix our issue, what else can I do?



John Beranek                         To generalise is to be an idiot.
http://redux.org.uk/                                 -- William Blake