[Freeipa-users] SSSD with LDAP not showing secondary groups

[Peter Pakos]

Hi,

I'm about to move our FreeIPA platform into production on Monday but I've
just noticed a worrying issue with sssd - getent group is not showing group
members and id is not showing secondary groups.

Currently all our servers are configured with sssd using our old LDAP
(389-ds) as a backend. It works great, id shows all my secondary groups:

# id peter.pakos
uid=1396(peter.pakos) gid=511(Engineering)
groups=511(Engineering),718(DevOps),701(SSHAllow)

After re-configuring sssd to use FreeIPA's LDAP directory, id is only
showing primary group, the secondary groups are missing:

# id peter.pakos
uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)

Similarly, getent is not showing group members:

# getent group engineering
engineering:*:511:

Environment:

# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

This is an example sssd.conf file I'm using in my tests:

[domain/ipa.wandisco.com]
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://shdc01.ipa.wandisco.com,
ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com,
ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, pam
config_file_version = 2
domains = ipa.wandisco.com

[nss]

[pam]

[sudo]

[autofs]

[ssh]

Am I missing anything in the sssd configuration?

Any advice would be greatly appreciated.

-- 
Kind regards,
 Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160716/3cac63e1/attachment.htm>