Using sss_override causes incomplete group output via 'getent group' #7996
Description
Been trying to figure out why when I run 'getent group <>' we are getting an incomplete list of users that seems inconsistent across our system. I noticed when I blew away /var/lib/sss/{mc,db}/* the group membership was as expected until I ran the 'sss_override user-add <> -g <>' to set a default group.
When I undid the override the output of 'getent group' returned to normal. I am not sure what is happening, happy to test / provide additional information.
$ sssd --version
2.9.6
Our /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = ad.something.edu
[nss]
filter_users = root
filter_groups = root
fallback_homedir = /home/%u
reconnection_retries = 3
entry_cache_timeout = 30
entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
[domain/ad.something.edu]
access_provider = simple
ad_enabled_domains = ad.something.edu
ad_gpo_access_control = disabled
ad_server = ad1.something.edu,ad2.something.edu
auth_provider = ad
dyndns_update = false
id_provider = ad
ldap_id_mapping = false
min_id = 500
# restrict AD groups we care about
ldap_group_search_base = DC=AD,DC=SOMETHING,DC=EDU
simple_allow_groups = some-group,some-secondgroup
Steps to reproduce / example
[root@server ~]# getent group group2
group2:*:1380536:user1,user2,user3,user4,user5,user6
[root@server ~]# sss_override user-add user1 -g 10050003
SSSD needs to be restarted for the changes to take effect.
[root@server ~]# systemctl restart sssd
[root@server ~]# getent group group2
group2:*:1380536:user1,user6
[root@server ~]# sss_override user-del user1
[root@server ~]# systemctl restart sssd
[root@server ~]# getent group group2
group2:*:1380536:user1,user2,user3,user4,user5,user6