Unable to see secondary groups in `id` listing

Bug #1317949 reported by Robin McCorkell
This bug affects 7 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)

Bug Description

When using SSSD 1.11.5 on Ubuntu 14.04, configured with the LDAP backend, running `id <username>` only shows the primary group, along with any secondary group that has been pre-cached (for example by running `getent group <group>` beforehand). After the user details have been seen by SSSD, they remain without showing secondary groups even if the groups are queried with `getent`.

With SSSD 1.9.5 (from a PPA on Ubuntu 12.04) secondary groups are shown just fine with `id`.

I am using the LDAP backend to point at a Samba 4 server running as an Active Directory domain controller. My sssd.conf is attached.

Tags: trusty
Revision history for this message
Robin McCorkell (xenopathic) wrote :
Revision history for this message
Jakub Hrozek (jakub-hrozek) wrote :


I'm sorry about the problem you hit, however, I need some more information to diagnose the problem.

First, I wonder if using the AD back end would suit your setup better since you seem to be using AD on the server side. Check out some introduction to the AD provider here:

But even with the LDAP back end, the secondary groups should be visible, especially since they were visible with the old version. Can you put "debug_level=8" into the [domain] and [nss] section of your sssd.conf, stop the SSSD, remove caches to start from a clean defined state (rm -f /var/lib/sss/db/cache* /var/lib/sss/mc/*), start the SSSD again and run both "id -G user" and then "id user". Would the run with '-G' show the correct groups?

Can you attach /var/log/sssd/*.log after the test?

Revision history for this message
Robin McCorkell (xenopathic) wrote :

Apologies for the late reply, but in the mean time I have indeed switched to the AD backend. It seems to be working alright, although I'm still trying to get dynamic DNS updates to work...

I performed the tests you wanted, with the results as attached. Note that the users 'ismith', 'amay', and 'hford' are part of groups 'itadmin', 'tech', 'officestaff' and 'staff'.

Revision history for this message
Robin McCorkell (xenopathic) wrote :
Revision history for this message
Robin McCorkell (xenopathic) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Revision history for this message
Michael Gradwohl (michael-gradwohl) wrote :

Any updates here? Ran into the same problem (sssd 1.11.5-1ubuntu3 trusty).

The secondary groups are missing with an "id <user>", while "getent group <secondary_group>" shows the correct information. Please fix this since it's not possible to set any secondary group in directive "simple_allow_groups" in sssd.conf

If you need any logs please let me know.

Changed in sssd (Ubuntu):
status: Confirmed → Invalid
status: Invalid → Confirmed
tags: added: trusty
information type: Public → Public Security
information type: Public Security → Private Security
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers