On Sun, Dec 8, 2024 at 4:34 AM Sumit Bose <sb...@redhat.com> wrote: > > Am Thu, Dec 05, 2024 at 03:58:48PM -0800 schrieb Bob Green via sssd-devel: > > sssd correctly identifies that an account is a member of a large 1501+ > > member AD group via "id <account>". However getent group > > <1501+_member_group> does not list the account. Only the first 1500 > > members are displayed. Is this a limitation of getent group ? Or is > > there a way to configure sssd to display all group members via getent > > group <group>? > > Hi, > > this is most probably a limit set on the AD side, see e.g. > https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-set-ldap-policy-using-ntdsutil.
Thank you for providing the article. Per the previous suggestion I tested on a SLESsp5 system with the SuSE built sssd-2.5.2-150400.4.27.1.x86_64 package. This version of sssd returns full group membership via "getent group <large_group>. So I assume the issue is not with AD MaxValRange (though I will confirm with the AD team). It looks like the issue is with the SuSE long term maintained 1.16.1 sssd client. I will take the issue up with them. Thanks again for developing this software. Bob -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
