Noticed that when running id usertocheck or groups usertocheck the users in the administrators group did not show that group listed.
Checking on the windows dc with net user usertocheck shows Administrators group listed.
Performing an ldap query of the group I see the following
ldapsearch -Y GSSAPI -H ldap://host.our.domain -b 'CN=Administrators,CN=Builtin,DC=our,DC=domain' -s base tokenGroupsNoGCAcceptable
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=Administrators,CN=Builtin,DC=domain,DC=our> with scope baseObject
# filter: (objectclass=*)
# requesting: tokenGroupsNoGCAcceptable
#
# Administrators, Builtin, our.domain
dn: CN=Administrators,CN=Builtin,DC=our,DC=domain
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
When comparing it to a different group like Domain Admins I see this:
ldapsearch -Y GSSAPI -H ldap://host.our.domain -b 'CN=Domain Admins,CN=Users,DC=our,DC=domain' -s base tokenGroupsNoGCAcceptable
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=Domain Admins,CN=Users,DC=our,DC=domain> with scope baseObject
# filter: (objectclass=*)
# requesting: tokenGroupsNoGCAcceptable
#
# Domain Admins, Users, our.domain
dn: CN=Domain Admins,CN=Users,DC=our,DC=domain
tokenGroupsNoGCAcceptable:: AQIAAAAAAAUgAAAAIAIAAA==
tokenGroupsNoGCAcceptable:: AQUAAAAAAAUVAAAAy9P9fqM5HW5F8KhKPAIAAA==
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Why do users in the administrators group not show they are in the administrators group when searching for them with id or groups in an integrated sssd system?
