Problem
After upgrading Univention Corporate Server from version 5.0 to 5.2, servers that were joined to the domain using SSSD were no longer able to correctly resolve users and groups from the domain.
Systems affected by the issue showed inconsistent or missing identity resolution when querying domain accounts via NSS (e.g., getent passwd or id).
Root Cause
The issue is related to the SSSD configuration interacting with the Active Directory Global Catalog (GC) after the upgrade.
In some environments, the default behavior of SSSD to query the Global Catalog can cause problems resolving user and group information when connected to a UCS domain controller.
When the Global Catalog is queried, SSSD may fail to correctly retrieve the necessary identity attributes for certain objects, resulting in incomplete or missing results during user and group lookups.
Workaround
The issue can be resolved by disabling Global Catalog usage in the SSSD configuration.
Add the following option to the SSSD domain configuration in /etc/sssd/sssd.conf:
ad_enable_gc = false
After updating the configuration, restart SSSD:
systemctl restart sssd
Recommended SSSD Configuration for UCS
For Ubuntu and Linux Mint systems joining a UCS domain, the recommended approach is to use the Univention Domain Join Assistant.
Repository:
https://github.com/univention/univention-domain-join
The assistant automatically performs the domain join and configures SSSD with a working default configuration suitable for UCS environments.
A simplified example of the configuration generated by the assistant:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = %(kerberos_realm)s
[nss]
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/%(kerberos_realm)s]
auth_provider = krb5
krb5_realm = %(kerberos_realm)s
krb5_server = %(ldap_server_name)s
krb5_kpasswd = %(kpasswd_server)s
id_provider = ldap
ldap_uri = ldap://%(ldap_server_name)s:7389
ldap_search_base = %(ldap_base)s
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = %(machines_ldap_dn)s
ldap_default_authtok_type = password
ldap_default_authtok = %(ldap_password)s