SSSD, AD UNIX Attributes, and SSH AllowGroups

So  I recently ran into an issue where we had the following setup:

  • Active Directory Domain
  • Realm joined RHEL 7 Hosts
  • A requirement for UNIX Attributes set in AD
  • sshd_config AllowGroups restrictions

However, the RHEL 7 hosts were not able to display  secondary/supplementary groups in AD when running id and thus, AllowGroups in sshd was failing.

The fix turned out to be setting the following in sssd.conf:

ldap_schema = rfc2307bis

You’ll then want to perform the following:

systemctl stop sssd

rm -f /var/lib/sss/db/*

systemctl start sssd

sss_cache -E won’t cut it here. When you run id <username>, it should now return all of the user’s group membership instead of just the primary. The AllowGroups directive in sshd should now work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.