Unable to see secondary groups in `id` listing

Bug #1317949 reported by Robin McCorkell on 2014-05-09
40
This bug affects 7 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned

Bug Description

When using SSSD 1.11.5 on Ubuntu 14.04, configured with the LDAP backend, running `id <username>` only shows the primary group, along with any secondary group that has been pre-cached (for example by running `getent group <group>` beforehand). After the user details have been seen by SSSD, they remain without showing secondary groups even if the groups are queried with `getent`.

With SSSD 1.9.5 (from a PPA on Ubuntu 12.04) secondary groups are shown just fine with `id`.

I am using the LDAP backend to point at a Samba 4 server running as an Active Directory domain controller. My sssd.conf is attached.

Robin McCorkell (xenopathic) wrote :
Jakub Hrozek (jakub-hrozek) wrote :

Hi,

I'm sorry about the problem you hit, however, I need some more information to diagnose the problem.

First, I wonder if using the AD back end would suit your setup better since you seem to be using AD on the server side. Check out some introduction to the AD provider here:
https://jhrozek.livejournal.com/2801.html
https://jhrozek.livejournal.com/3019.html

But even with the LDAP back end, the secondary groups should be visible, especially since they were visible with the old version. Can you put "debug_level=8" into the [domain] and [nss] section of your sssd.conf, stop the SSSD, remove caches to start from a clean defined state (rm -f /var/lib/sss/db/cache* /var/lib/sss/mc/*), start the SSSD again and run both "id -G user" and then "id user". Would the run with '-G' show the correct groups?

Can you attach /var/log/sssd/*.log after the test?

Robin McCorkell (xenopathic) wrote :

Apologies for the late reply, but in the mean time I have indeed switched to the AD backend. It seems to be working alright, although I'm still trying to get dynamic DNS updates to work...

I performed the tests you wanted, with the results as attached. Note that the users 'ismith', 'amay', and 'hford' are part of groups 'itadmin', 'tech', 'officestaff' and 'staff'.

Robin McCorkell (xenopathic) wrote :
Robin McCorkell (xenopathic) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed

Any updates here? Ran into the same problem (sssd 1.11.5-1ubuntu3 trusty).

The secondary groups are missing with an "id <user>", while "getent group <secondary_group>" shows the correct information. Please fix this since it's not possible to set any secondary group in directive "simple_allow_groups" in sssd.conf

If you need any logs please let me know.

Changed in sssd (Ubuntu):
status: Confirmed → Invalid
status: Invalid → Confirmed
tags: added: trusty
information type: Public → Public Security
information type: Public Security → Private Security
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers