On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote: > > This really sounds like a bug. If you encounter a situation like this, > where a group does not show all its members, feel free to open a bug.
I have been experiencing this for quite some time, but I'm struggeling with how to give useful bugreports. Right now I tested a ssh-login to one of my ipa servers and failed to log in: Mar 20 12:55:13 ipa1 sshd[16112]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.net' then I immediatelty try again, and can successfully log in. The reason for pam_access denying access is most likely that my groups isn't populated on the first try, but on the second it works. I don't seem able to re-produce this issue by stopping/clearing/starting sssd, so I suspect it might be the connection between sssd and 389ds that has been broken by firewalls between them maybe. We have an evil firewall that breaks connections that's been idle for more than 30 minutes. Are there hearbeat or keepalive settings in IPA or 389ds that we should enable to keep connections alive ? > > Bottom line, if you are seeing inconsistent results with ipa backend, > please open a bug. This is something that would need fixing right away. Don't know if I can call it inconsistent results with ipa backend, or just bad broken connection handling within sssd. Any hints for how I can provide better bugreports would be appreciated.. -jf _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users