# Ubuntu – SSSD with AD: use UID/GID specified on domain server instead of something random

I have an AD environment with IDMU and specified UID/GID for my domain users. SSSD-connected domain user does not share the same UID/GID on Ubuntu as AD.

Here's the default unedited sssd.conf in Ubuntu 20.10:

% sssd --version
2.3.1

# cat /etc/sssd/sssd.conf

[sssd]
domains = webtool.space
config_file_version = 2

[domain/webtool.space]
default_shell = /bin/bash
cache_credentials = True
krb5_realm = MYDOMAIN.SPACE
fallback_homedir = /home/%u@%d
use_fully_qualified_names = True
ldap_id_mapping = True


If username Auser has a UID of 10001 and a GID of 10001 I would expect that these numbers would persist across other platforms, correct?

But SSSD seems to allocate arbitrary UID/GID with no correspondence with AD numbers. Here's a real-world example:

% su auser@mydomain.space
auser@mydomain.space@myhostname:~/\$ id

uid=397401108(auser@mydomain.space)
397400513(domain users@mydomain.space),
397401109(sudoers@mydomain.space),
397404603(libvirt@mydomain.space),
397407607(jumpcloud@mydomain.space)


Is there any way to prevent this behavior? I would like my UID/GID to correspond with the values assigned on the domain controllers.

Update:

Thanks to stellar first answer, all that was required to make mapping 1-1 was stop SSSD service, delete the cache, change ldap_id_mapping from True to False.

Now the UID/GID are the same as AD:

% id


Now to figure out why I am missing some of the groups my user belongs to…

The default SSD behavior will map user id and group id to a range of values. You can instead specify LDAP attributes to use if they are defined in AD.

       By default, the AD provider will map UID and GID values from the objectSID parameter in
Active Directory. For details on this, see the “ID MAPPING” section below. If you want to
disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you
should set

ldap_id_mapping = False


SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are uidNumber and gidNumber, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.

If you change the id mapping settings, you need to fully clear your caches before testing the change. I like to run these commands

systemctl stop sssd
rm /var/lib/sss/{db,mc}/*
sss_cache -E
# optionally clear debug logs
truncate -s 0 /var/log/sssd/*.log
systemctl start sssd