I am currently looking at migrating my existing CentOS6 servers over to CentOS7 and am currently testing out my sssd configuration on the new build with some issues. For some reason I am unable to see any secondary groups for my user like I would expect, and the /etc/sssd.conf, /etc/nsswitch and related /etc/pam.d configurations should be the same for both my CentOS6 and 7 servers (Configuration is currently puppetized). I did see a related issue with the default setting for initgroups to be files only, but I have already adjusted my configs for that with little success. Any help is greatly appreciated! Setup Detail Authentication Server: MS 2008R2 Schema Type: ad /etc/sssd/sssd.conf [sssd] services = nss, pam, autofs config_file_version = 2 domains = example.com debug_level = 9 enumerate = false cache_credentials = true [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [autofs] ldap_autofs_search_base = CN=automount,dc=example,dc=com ## Domain Configurations [domain/example.com] debug_level = 9 id_provider = ldap access_provider = ldap auth_provider = krb5 ldap_uri = ldap://ad.example.com ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_referrals = false ldap_disable_referrals = true ldap_force_upper_case_realm = true ldap_page_size = 4000 ldap_access_order = expire ldap_account_expire_policy = ad ldap_default_bind_dn = CN=LINUXAUTH,DC=EXAMPLE,DC=COM ldap_id_mapping = False ldap_search_base = DC=EXAMPLE,DC=COM ldap_user_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=user)(uidnumber=*) ldap_user_search_scope = sub ldap_user_object_class = user ldap_user_name = cn ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_objectsid = objectSid ldap_user_member_of = memberOf ldap_user_gecos = cn ldap_group_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=group)(gidnumber=*) ldap_group_objectsid = objectSid ldap_group_member = member ldap_group_object_class = group ldap_group_uuid = objectGUID ldap_group_nesting_level = 0 krb5_auth_timeout = 5 krb5_renew_interval = 60 krb5_realm = EXAMPLE.COM krb5_server = ad.example.com ldap_krb5_init_creds = true /etc/nsswitch passwd: files sss shadow: files sss group: files sss initgroups: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus