The Problem
While running “id” command against LDAP users, it only displays the gid for some secondary group and the group name is not being printed:
# id user1 uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971
And, the below error was logged in /var/log/sssd/sssd_nss.log :
(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
The Solution
The new group was added with same GID as the one of the existing one.
# id user1 uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971(group6) # getent group group5 group5:*:56971: # id user1 uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4)
The same ID is mapped to 2 groups, group5 and group6. So when we do id once we get a correct result for the user (all the users groups are shown). Then we run getent group for the other group:
# getent group group5
But after that, it seems the group is dropped from the id results.
SSSD has a hard restriction in the SysDB that only one group can exist with a particular ID. When a group is renamed on the server, it becomes an order-of-operations issue whether or not we handle it correctly. We don’t support multiple entries with the same GID and that doing so will result in unexpected behavior.
So the below error was logged in /var/log/sssd/sssd_nss.log :
(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
Thus, once you correct the entry in LDAP server, the sssd should be able to pick it up again correctly. If it doesn’t then wait for 300 secs as the default time for that cache to flush itself is 300 seconds (i.e. five minutes). Also you can use below command to flush sssd cache with suitable options as per the requirement:
The -E flag can be used to invalidate all cached entries. Exception is sudo rules.
# sss_cache -E
You can also invalidate a specific user only from the cache with the -u flag, followed by the username.
# sss_cache -u user1
Also, you can delete the sss_cache file from within the /var/lib/sss/db/ directory.
# service sssd stop # rm -rf /var/lib/sss/db/* # service sssd start