Just in case somebody is still struggling with this... On ubuntu 14.04 I had to set enumerate option to true in sssd.conf to make this work.
On Fri, May 22, 2015 at 6:28 PM, Christoph Kaminski <christoph.kamin...@biotronik.com> wrote: > freeipa-users-boun...@redhat.com schrieb am 22.05.2015 09:37:04: > >> Von: Nikola Kržalić <nik...@krzalic.com> >> An: freeipa-users@redhat.com >> Datum: 22.05.2015 15:05 >> Betreff: [Freeipa-users] FreeIPA groups not shown on client >> Gesendet von: freeipa-users-boun...@redhat.com >> >> I have a ubuntu system running IPA client. I am able to log in via ssh >> using IPA users, but I do not get any group memberships or sudo rules. >> Same configuration works on a different system (running CentOS). >> >> sssd domain log output shows that the groups are retrieved from server >> successfully: >> >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [admins] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [ipausers] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [editors] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [trust admins] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [devops_team] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [dev_team] for user [nkrzalic] >> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] >> (0x1000): Added group [sys_team] for user [nkrzalic] >> >> However, these groups are not shown on the user upon login: >> >> nkrzalic@ircsrv1:~$ id >> uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic) >> >> I tried cleaning sssd cache but that didn't help. >> >> sssd conf is as follows: >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> >> nsswitch.conf seems to be correct as well: >> >> # /etc/nsswitch.conf >> >> passwd: compat sss >> group: compat sss >> shadow: compat >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis sss >> sudoers: files sss >> >> Interestingly after I do "getent group devops_team" this group shows up: >> >> nkrzalic@ircsrv1:~$ id >> uid=281200051(nkrzalic) gid=281200051(nkrzalic) >> groups=281200051(nkrzalic),281200001(devops_team) >> nkrzalic@ircsrv1:~$ >> >> >> Any ideas? >> >> > > try to kill the cache with: > (stop sssd) rm -rf /var/lib/sss/db/* (start sssd) > > we has had the same problems often here and only really kill the cache has > fixed it (sss_cache -A hasnt help) > > Greetz > Christoph Kaminski > > -- S poštovanjem / Regards, Nikola Kržalić. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project