[CentOS] [sssd] Not seeing Secondary Groups

Mon Jul 28 14:01:52 UTC 2014
De Vito, Carmen <Carmen.DeVito at cchmc.org>

I am currently looking at migrating my existing CentOS6 servers over to CentOS7 and am currently testing out my sssd configuration on the new build with some issues. For some reason I am unable to see any secondary groups for my user like I would expect, and the /etc/sssd.conf, /etc/nsswitch and related /etc/pam.d configurations should be the same for both my CentOS6 and 7 servers (Configuration is currently puppetized). I did see a related issue with the default setting for initgroups to be files only, but I have already adjusted my configs for that with little success. Any help is greatly appreciated!

Setup Detail

Authentication Server: MS 2008R2
Schema Type: ad

/etc/sssd/sssd.conf
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = example.com
debug_level = 9
enumerate = false
cache_credentials = true

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[autofs]
ldap_autofs_search_base = CN=automount,dc=example,dc=com

## Domain Configurations
[domain/example.com]
debug_level = 9
id_provider = ldap
access_provider = ldap
auth_provider = krb5

ldap_uri = ldap://ad.example.com
ldap_tls_reqcert = allow
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_disable_referrals = true
ldap_force_upper_case_realm = true
ldap_page_size = 4000
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_default_bind_dn = CN=LINUXAUTH,DC=EXAMPLE,DC=COM
ldap_id_mapping = False
ldap_search_base = DC=EXAMPLE,DC=COM

ldap_user_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=user)(uidnumber=*)
ldap_user_search_scope = sub
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_objectsid = objectSid
ldap_user_member_of = memberOf
ldap_user_gecos = cn

ldap_group_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=group)(gidnumber=*)
ldap_group_objectsid = objectSid
ldap_group_member = member
ldap_group_object_class = group
ldap_group_uuid = objectGUID
ldap_group_nesting_level = 0

krb5_auth_timeout = 5
krb5_renew_interval = 60
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com
ldap_krb5_init_creds = true


/etc/nsswitch

passwd:     files sss
shadow:     files sss
group:      files sss
initgroups: files sss
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus