Skip to content

December 2016

SSSD and Active Directory Primary Group

If you’re ever scratching your head because you’re seeing messages like this when trying to diagnose a sssd issue with an ad_access_filter for the user foobar:  [sdap_access_filter_done] (0x0100): User [foobar] was not found with the specified filter. Denying access. You just know that foobar is a member of one of the groups the ad_access_filter is looking for, so what is going on?   The issue is probably that foobar is a member of the group, but also has that group set as it’s primary group. The primary group of an account in Active Directory doesn’t appear under the account’s memberOf LDAP attribute.  You’ll have to add the primaryGroupID attribute to your ad_access_filter.