On (04/08/15 07:11), Janelle wrote: >I too have seen this same unique "bug". My guess is, you have compatibility >mode enabled AND you used the GUI to manipulate the group memberships. I have >found this to be buggy. Using CLI based commands did not have the same >results. However, once the 2 trees - "cn=accounts" and "cn=compat" are no >longer in sync, I have found the only way to fix this is with ldapmodify >commands, since neither the GUI nor the command line tools believe the users >are in the groups in question anymore. > It really sounds like a bug.
Did you try to call "id user" on ipa server? I'm curious which uid/gid are returned from sssd. If the uid/gid are correct does it help to restart directory server (or ipa)? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
