Have you tried different settings for ldap_schema (should be easy to test)?
http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos <pe...@pakos.uk<mailto:pe...@pakos.uk>> wrote: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups. Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups: # id peter.pakos uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing: # id peter.pakos uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) Similarly, getent is not showing group members: # getent group engineering engineering:*:511: Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 This is an example sssd.conf file I'm using in my tests: [domain/ipa.wandisco.com<http://ipa.wandisco.com/>] ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://shdc01.ipa.wandisco.com<http://shdc01.ipa.wandisco.com/>, ldaps://shdc02.ipa.wandisco.com<http://shdc02.ipa.wandisco.com/>, ldaps://ashb01.ipa.wandisco.com<http://ashb01.ipa.wandisco.com/>, ldaps://ashb02.ipa.wandisco.com<http://ashb02.ipa.wandisco.com/>, ldaps://frem01.ipa.wandisco.com<http://frem01.ipa.wandisco.com/> ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = ipa.wandisco.com<http://ipa.wandisco.com/> [nss] [pam] [sudo] [autofs] [ssh] Am I missing anything in the sssd configuration? Any advice would be greatly appreciated. -- Kind regards, Peter Pakos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project