Package: sssd Version: 1.11.7-3 Discovered issue with NSS group resolution. With clean sssd cache the other group id's are not recognized. Once ran getent group <ldap-group>, and relogin to the system, the groups are shown/available. There are some bug reports which should be resolved already.
https://bugzilla.redhat.com/show_bug.cgi?id=1154042 This is how it looks like: user1.ipa@server:~$ id uid=73800020(user1.ipa) gid=73800020(user1.ipa) groups=73800020(user1.ipa) user1.ipa@server:~$ getent group group.ipa group.ipa:*:73800017:user1.ipa,user2.ipa user1.ipa@server:~$ logout Connection to x.y.z.10 closed. user1.ipa@jump:~$ ssh server user1.ipa@server's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Nov 27 15:33:31 2015 from jump user1.ipa@server:~$ id uid=73800020(user1.ipa) gid=73800020(user1.ipa) groups=73800020(user1.ipa),73800017(group.ipa) -- Peter Viskup