SSSD with poor connectivity

[grnfls709]

When the connection with the domain controller is good, the user logs into the system without any problems. On some PCs, I added domain users to local Linux groups such as dialout, but when the connection is bad and authorization takes place offline using the cache, when I enter the groups command from this user, I see that the local dialout group is missing. What could be the cause and how to fix it?

[alexey-tikhonov]

when the connection is bad and authorization takes place offline using the cache, when I enter the groups command from this user, I see that the local dialout group is missing

And when connection is good?

Do you call 'groups' without arguments or 'groups $user'?
Those two variants use different underlying functions (getgroups() vs getgrouplist())

[alexey-tikhonov]

And what is output of grep ^group /etc/nsswitch.conf?

[grnfls709]

when the connection is bad and authorization takes place offline using the cache, when I enter the groups command from this user, I see that the local dialout group is missing

And when connection is good?

Do you call 'groups' without arguments or 'groups $user'?
Those two variants use different underlying functions (getgroups() vs getgrouplist())

I'm a novice DevOps specialist, I haven't tried any other teams, just groups. When the connection is excellent, if you enter the groups command from the domain user, the result will be something like this: domain users dialout . If the connection is bad and the user has logged in using cached data, then when entering groups it will be like this: domain users , i.e. without a local dialout group. The fact is that the dialout group, for example, is needed to access the COM ports on which the cash registers operate. And if the user loses access to the dialout group, then access to the COM ports is also lost.

[grnfls709]

And what is output of grep ^group /etc/nsswitch.conf?

I will try it and then answer to you :)

[grnfls709]

And what is output of grep ^group /etc/nsswitch.conf?

Output is:
group: files sss

[alexey-tikhonov]

Sounds like initgroups list is set incorrectly / differently when logging in offline...

When "connection is bad", can you also try groups $user?
Will the output be the same as of groups (without argument) or will it have local groups as expected?

[grnfls709]

Sounds like initgroups list is set incorrectly / differently when logging in offline...

When "connection is bad", can you also try groups $user? Will the output be the same as of groups (without argument) or will it have local groups as expected?

In general, I tried logging in with my cached domain account on my PC with the network disconnected. The groups command worked fine, and showed my local groups such as dialout and wheel. From this situation, I realized that sssd does not work correctly at a time when the network is available, but the bandwidth is too low. The ping from such computers to the domain controller is about 800-1000... What can be done in this situation?

[alexey-tikhonov]

I realized that sssd does not work correctly at a time when the network is available, but the bandwidth is too low

Still it returns a correct list of domain groups but local groups are missing?

What can be done in this situation?

Enable 'debug_level = 9' in 'nss' and domain sections of sssd.conf and the extract logs covering groups lookup (see sssctl analyze --help)