So I recently ran into an issue where we had the following setup:
- Active Directory Domain
- Realm joined RHEL 7 Hosts
- A requirement for UNIX Attributes set in AD
- sshd_config AllowGroups restrictions
However, the RHEL 7 hosts were not able to display secondary/supplementary groups in AD when running id and thus, AllowGroups in sshd was failing.
The fix turned out to be setting the following in sssd.conf:
ldap_schema = rfc2307bis
You’ll then want to perform the following:
systemctl stop sssd
rm -f /var/lib/sss/db/*
systemctl start sssd
sss_cache -E won’t cut it here. When you run id <username>, it should now return all of the user’s group membership instead of just the primary. The AllowGroups directive in sshd should now work.