After enabling SIMP's STIG Mode, the 'administrators' and 'users' groups defined in OpenLDAP fail to resolve their group numbers. This is because enabling STIG Mode raises the minimum gid (and uid) to 1000, while the administrators gid is 700 and the users gid is 100. This causes users who are members of the administrators group not to be able to perform administrator functions, such as running sudo commands.
attempted to resolve this by decreasing the sssd minimum gid to 1, which is ineffective in STIG Mode to allow the group to resolve and administrators to run sudo commands.
Note, the 'users' group appears to resolve because there is another local users group defined in /etc/group with a gid of 100, matching the OpenLDAP value for 'users'. Removing that local group reveals the issue.
Steps to reproduce:
Before or after enabling SIMP STIG Mode, add user to OpenLDAP 'administrators' group
Test administrator's group membership:
Note gid '700' is in the list, yet unresolved
Log in as user and issue any sudo command, which will fail
Before or after enabling SIMP STIG mode (disa_stig), change the gid of the 'administrators' group id in OpenLDAP to something greater than 1000
Stop the sssd service
Remove the sssd LDAP cache:
Start the sssd service again
After STIG Mode is enabled, user accounts that are members of the 'administrators' group in OpenLDAP are able to successfully execute sudo commands
Can you tell us what version of sssd is installed?
I remember this being an issue but I thought that it was resolved for secondary group membership (I may be mistaken though).
using the command ‘sssd --version’ returns 1.16.5 on my SIMP 6.4-based system. Let me know if you need any other information.