Not Seeing Secondary Groups

Home » CentOS » Not Seeing Secondary Groups
CentOS No Comments

I am currently looking at migrating my existing CentOS6 servers over to CentOS7 and am currently testing out my sssd configuration on the new build with some issues. For some reason I am unable to see any secondary groups for my user like I would expect, and the /etc/sssd.conf, /etc/nsswitch and related /etc/pam.d configurations should be the same for both my CentOS6 and 7 servers (Configuration is currently puppetized). I did see a related issue with the default setting for initgroups to be files only, but I have already adjusted my configs for that with little success. Any help is greatly appreciated!

Setup Detail

Authentication Server: MS 2008R2
Schema Type: ad

/etc/sssd/sssd.conf
[sssd]
services = nss, pam, autofs config_file_version = 2
domains = example.com debug_level = 9
enumerate = false cache_credentials = true

[nss]
filter_groups = root filter_users = root reconnection_retries = 3

[pam]
reconnection_retries = 3

[autofs]
ldap_autofs_search_base = CN=automount,dc=example,dc=com

## Domain Configurations
[domain/example.com]
debug_level = 9
id_provider = ldap access_provider = ldap auth_provider = krb5

ldap_uri = ldap://ad.example.com ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_referrals = false ldap_disable_referrals = true ldap_force_upper_case_realm = true ldap_page_size = 4000
ldap_access_order = expire ldap_account_expire_policy = ad ldap_default_bind_dn = CN=LINUXAUTH,DC=EXAMPLE,DC=COM
ldap_id_mapping = False ldap_search_base = DC=EXAMPLE,DC=COM

ldap_user_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=user)(uidnumber=*)
ldap_user_search_scope = sub ldap_user_object_class = user ldap_user_name = cn ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_objectsid = objectSid ldap_user_member_of = memberOf ldap_user_gecos = cn

ldap_group_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=group)(gidnumber=*)
ldap_group_objectsid = objectSid ldap_group_member = member ldap_group_object_class = group ldap_group_uuid = objectGUID
ldap_group_nesting_level = 0

krb5_auth_timeout = 5
krb5_renew_interval = 60
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com ldap_krb5_init_creds = true

/etc/nsswitch

passwd: files sss shadow: files sss group: files sss initgroups: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus