STIG Mode breaks 'administrators' and 'users' groups


After enabling SIMP's STIG Mode, the 'administrators' and 'users' groups defined in OpenLDAP fail to resolve their group numbers. This is because enabling STIG Mode raises the minimum gid (and uid) to 1000, while the administrators gid is 700 and the users gid is 100. This causes users who are members of the administrators group not to be able to perform administrator functions, such as running sudo commands.

attempted to resolve this by decreasing the sssd minimum gid to 1, which is ineffective in STIG Mode to allow the group to resolve and administrators to run sudo commands.

Note, the 'users' group appears to resolve because there is another local users group defined in /etc/group with a gid of 100, matching the OpenLDAP value for 'users'. Removing that local group reveals the issue.

Steps to reproduce:

  • Before or after enabling SIMP STIG Mode, add user to OpenLDAP 'administrators' group

  • Enable SIMP STIG mode (disa_stig)

  • Test administrator's group membership:

  • Note gid '700' is in the list, yet unresolved

  • Log in as user and issue any sudo command, which will fail


  • Before or after enabling SIMP STIG mode (disa_stig), change the gid of the 'administrators' group id in OpenLDAP to something greater than 1000

  • Stop the sssd service

  • Remove the sssd LDAP cache:

  • Start the sssd service again

Acceptance Criteria

After STIG Mode is enabled, user accounts that are members of the 'administrators' group in OpenLDAP are able to successfully execute sudo commands


Trevor Vaughan
January 14, 2021, 8:15 PM

Can you tell us what version of sssd is installed?

I remember this being an issue but I thought that it was resolved for secondary group membership (I may be mistaken though).

Mark Fitch
January 14, 2021, 8:33 PM

using the command ‘sssd --version’ returns 1.16.5 on my SIMP 6.4-based system. Let me know if you need any other information.



Epic Link


Story Points




Affects versions