#StackBounty: #centos #active-directory #sssd auto groups in CentOS 7 in Active Directory domain?

Bounty: 50

I am having an issue that might be mostly cosmetic but I’ve gotta keep the user complaints down. 🙂

I have a set of servers running CentOS 7.4 and have the requirement to join the servers to an Active Directory domain. The users are defined in the domain with POSIX attributes but there are not groups defined for each user. I joined the domain with

realm join --user=me --membership-software=adcli --computer-name=myhostname EXAMPLE.GOV

My /etc/sssd/sssd.conf contains this

[sssd]
domains = example.gov
config_file_version = 2
services = nss, pam
default_domain_suffix = EXAMPLE.GOV

[domain/example.gov]
ad_domain = example.gov
krb5_realm = EXAMPLE.GOV
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = myhostname$
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
access_provider = ad
full_name_format = %1$s
override_shell = /bin/bash

So far so good but I do have a problem with getting a group name for myself.

$ id me
uid=123456(me) gid=123456 groups=123456
$ getent passwd me
me:*:123456:123456:Doug:/home/me:/bin/bash
$ getent group me
$

What I want is for getent group me to return 123456. It looks like the sssd configuration options auto_private_groups or magicPrivateGroups (magic_private_groups?) is what I’m looking for but neither option is supported under CentOS 7.

Turning on ldap_id_mapping is not a option as these ids are not consistent across all of our platforms. Any suggestions?


Get this bounty!!!

Leave a Reply