On Fri, Mar 29, 2019 at 9:25 AM Hans Schou <h...@miracle.dk> wrote: > "getent group <name>" does not give any output at all. > However "getent passwd" looks correctly up in the AD: > > $ getent passwd zmir2 > zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash > $ grep -c ^zmir2 /etc/passwd > 0 > > nsswitch looks fine: > $ egrep "^(group|passwd)" /etc/nsswitch.conf > passwd: files sss > group: files sss > > … > > # cat /etc/sssd/sssd.conf > [sssd] > domains = foo.org > config_file_version = 2 > services = nss, pam > [domain/foo.org] > ad_domain = foo.org > krb5_realm = FOO.ORG > realmd_tags = manages-system joined-with-samba > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = False > use_fully_qualified_names = False > fallback_homedir = /home/%u > access_provider = ad > > All on Red Hat 7.6. > > The goal is to use an AD group in a samba share but it obviously > does not lookup groups in the AD, only specific users.
Two things to check: 1. You are setting ldap_id_mapping = False, so that means sssd will only map groups that have the gidNumber attribute. If there is no gidNumber attribute on the group, sssd ignores it. 2. sssd only maps only security groups (universal, domain local, global). In terms of #2, here are the AD group types, with an asterisk next to the ones that sssd maps: * groupType: -2147483646 (global security group) * groupType: -2147483644 (domain local security group) groupType: -2147483643 (builtin group) * groupType: -2147483640 (universal security group) groupType: 2 (global distribution group) groupType: 4 (local distribution group) groupType: 8 (universal distribution group) If you want sssd to map a universal distribution group, you will need to change it to be a mail-enabled universal security group instead. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org