I am currently looking at migrating my existing CentOS6 servers over to CentOS7
and am currently testing out my sssd configuration on the new build with some
issues. For some reason I am unable to see any secondary groups for my user like
I would expect, and the /etc/sssd.conf, /etc/nsswitch and related /etc/pam.d
configurations should be the same for both my CentOS6 and 7 servers
(Configuration is currently puppetized). I did see a related issue with the
default setting for initgroups to be files only, but I have already adjusted my
configs for that with little success. Any help is greatly appreciated!
Setup Detail
Authentication Server: MS 2008R2
Schema Type: ad
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = example.com
debug_level = 9
enumerate = false
cache_credentials = true
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[autofs]
ldap_autofs_search_base = CN=automount,dc=example,dc=com
## Domain Configurations
[domain/example.com]
debug_level = 9
id_provider = ldap
access_provider = ldap
auth_provider = krb5
ldap_uri = ldap://ad.example.com
ldap_tls_reqcert = allow
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_disable_referrals = true
ldap_force_upper_case_realm = true
ldap_page_size = 4000
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_default_bind_dn = CN=LINUXAUTH,DC=EXAMPLE,DC=COM
ldap_id_mapping = False
ldap_search_base = DC=EXAMPLE,DC=COM
ldap_user_search_base =
DC=EXAMPLE,DC=COM?subtree?&(objectclass=user)(uidnumber=*)
ldap_user_search_scope = sub
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_objectsid = objectSid
ldap_user_member_of = memberOf
ldap_user_gecos = cn
ldap_group_search_base =
DC=EXAMPLE,DC=COM?subtree?&(objectclass=group)(gidnumber=*)
ldap_group_objectsid = objectSid
ldap_group_member = member
ldap_group_object_class = group
ldap_group_uuid = objectGUID
ldap_group_nesting_level = 0
krb5_auth_timeout = 5
krb5_renew_interval = 60
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com
ldap_krb5_init_creds = true
/etc/nsswitch
passwd: files sss
shadow: files sss
group: files sss
initgroups: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
