That was the point. The clients were not installed with IPA client install. I have 2000 clients and still working on a simple way to automate the client install with ansible or puppet. Currently just trying to get it working with simple sssd/ldap only auth.
~J > On Mar 2, 2015, at 01:12, Jakub Hrozek <jhro...@redhat.com> wrote: > >> On Sat, Feb 28, 2015 at 11:07:20AM -0800, Janelle wrote: >> Hello, >> >> I was wondering - I have searched around and seen a few questions and >> solutions, but nothing I try is fixing my environment. >> >> Things have been working quite well with IPA 4.0.5, simple things with auth >> and logins - some with full ipa-client-install configured, others just using >> LDAP and that is where the strangeness comes from. >> >> with full IPA client integration, secondary groups work just find, as do >> base commands like "id" and "getent". However, the "ldap" users, never show >> the secondary group for their uid? >> >> Any pointers you might suggest? I have tried the sssd.conf of >> "ldap_group_member = uniqeMember" - no change. >> >> a simple secondary group is defined: >> >> dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com >> cn: web_users >> objectClass: ipaobject >> objectClass: extensibleobject >> objectClass: top >> objectClass: ipausergroup >> objectClass: posixgroup >> objectClass: groupofnames >> objectClass: nestedgroup >> memberUid: user1 >> memberUid: user2 >> memberUid: user3 >> memberUid: user4 >> memberUid: user5 >> member: uid=user1,cn=users,cn=accounts,dc=example,dc=com >> member: uid=user2,cn=users,cn=accounts,dc=example,dc=com >> member: uid=user3,cn=users,cn=accounts,dc=example,dc=com >> member: uid=user4,cn=users,cn=accounts,dc=example,dc=com >> member: uid=user5,cn=users,cn=accounts,dc=example,dc=com >> >> and yet with debug_level = 7 -- sssd still says: >> [sdap_process_ghost_members] (0x0400): Group has 0 members > > Was the client installed with ipa-client-install? There I would suggest > to just use the defaults and everything should work. > > Can you try again, this time with default configuration of > id_provider=ipa ? You might need to clear the cache (rm > /var/lib/sss/db/cache_*) if you were playing around with the schema.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project