attachment
sssd_global.log.id_after_groupinit_call

attachment
sssd_global.log.id_before_groupinit_call

I should note this is my current sssd.conf:

grep -Ev '^#|^$|\;' /etc/sssd/sssd.conf


[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = global
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/global]
description = LDAP domain with AD server
ldap_uri = ldaps://server.domain.com
ldap_search_base = dc=domain,dc=com
ldap_schema = rfc2307bis
enumerate = False
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_reqcert = demand
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
min_id = 1000
ldap_default_bind_dn = ldapbinddn@domain.com
ldap_default_authtok_type = password
ldap_default_authtok = <password>
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True

_comment0: I should note this is my current sssd.conf:
grep -Ev '^#|^$|\;' /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = global
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/global]
description = LDAP domain with AD server
ldap_uri = ldaps://server.domain.com
ldap_search_base = dc=domain,dc=com
ldap_schema = rfc2307bis
enumerate = False
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_reqcert = demand
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
min_id = 1000
ldap_default_bind_dn = ldapbinddn@domain.com
ldap_default_authtok_type = password
ldap_default_authtok = <password>
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True => 1333644904353327

Fields changed

description: service sssd stop
rm cache_domain*
service sssd start

getent passwd bkevan
bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash

getent group "Linux Users"
Linux Users:*:1100:bkevan

id -a bkevan
uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),0(root),0(root),0(root)

However, if I change the order of how I do things:
(stop sssd, clear cache, start sssd)
getent passwd bkevan
bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash

getent group "Linux Users"
Linux Users:*:1100:bkevan

getent group "SV.NorCal Linux Admins"
SV.NorCal Linux Admins:*:1101:bkevan

id -a bkevan
uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),1101(SV.NorCal Linux Admins),1030644524,1818321519

=> {{{
service sssd stop
rm cache_domain*
service sssd start

getent passwd bkevan
bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash

getent group "Linux Users"
Linux Users:*:1100:bkevan

id -a bkevan
uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),0(root),0(root),0(root)

However, if I change the order of how I do things:
(stop sssd, clear cache, start sssd)
getent passwd bkevan
bkevan:*:1000:1100:Ben Kevan:/home/bkevan:/bin/bash

getent group "Linux Users"
Linux Users:*:1100:bkevan

getent group "SV.NorCal Linux Admins"
SV.NorCal Linux Admins:*:1101:bkevan

id -a bkevan
uid=1000(bkevan) gid=1100(Linux Users) groups=1100(Linux Users),1101(SV.NorCal Linux Admins),1030644524,1818321519

}}}

Would it be possible for you to try this with SSSD 1.8.1? We've made a lot of changes to the initgroups support in 1.6, 1.7 and 1.8 and I strongly suspect that this issue no longer exists in the current code.

I can't tell from the logs what specifically is misbehaving here, unfortunately. The only noteworthy piece is this:

(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(gidNumber=6737776)(objectclass=group)(cn=*)(gidNumber=*))][dc=domain,dc=com].
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [cn]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [member]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_step] (7): Requesting attrs: [uSNChanged]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_done] (6): Search result: Success(0), (null)
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_generic_done] (7): Total count [0]
(Thu Apr  5 08:34:32 2012) [sssd[be[global]]] [sdap_get_groups_process] (6): Search for groups, returned 0 results.

That's coming back to us directly from LDAP. The LDAP server is saying that a search with the filter:

(&(gidNumber=6737776)(objectclass=group)(cn=*)(gidNumber=*))

does not find a group with that ID in the base

dc=domain,dc=com

This is fixed in the current upstream releases. Upstream currently has no plans to attempt to backport these fixes, as we largely rewrote the underlying code since 1.5.x. Please recommend that your distribution upgrades to the latest LTM release (1.8.2 at the time of this writing).

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2334

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.