I'd appreciate some guidance on debugging this problem. At least on RHEL7, with sssd-1.13.0-40.el7_2.1, we've noticed that the ad backend doesn't always expand nested AD groups properly.
For example, we have group_1 with 5 members and group_2 with 7 members. One user is in both groups. The group_all group has two members: group_1 and group_2. But if I do "getent group group_all", sometimes only 10 members are displayed, not 11. And the missing member is always the same user: me. If I stop sssd, delete the cache files, and restart sssd, then "getent group group_all" properly returns all 11 members. For now, I've turned on full debugging (0xffff) for the domain. I'm hoping that if I can catch the incorrect group expansion, the logs will show me why the expansion is incorrect. Is there anything else I should be looking at to debug this problem? Thanks! P.S.: I don't know if it's related, but I noticed that "getent group 'domain users'" no longer lists every single user as a member of the 'domain users' group. Was this a change for 1.13? Or is this another problem? _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
