Hi all, Even more strange, logging in using SSH public/private keys the problem disappears and all groups are available! Strange.....?! RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December 11 RHEL 7.2 with sssd 1.13.0-40 as an IPA client RHEL 6.7 with sssd 1.12.4-47 as an IPA client Winny Op 15-12-15 om 09:59 schreef Sumit
Bose:
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:Using an EL7 client, lot's of times the IPA (posix) groups are missing, or partly missing. Doing some debugging, sssd_pac.log shows:(Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is not in the PAC anymore, membership must be removed. (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is not in the PAC anymore, membership must be removed. These sids are the groups I am missing. What is happening here???Originally the PAC was the only source for the group-membership data for users coming from AD. To be able to be a member of IPA groups the IPA KDC added SIDs of IPA groups the AD user is a member of. With EL7.1 SSSD is able to read group-membership data on its own if the IPA server is running on 7.1 or newer as well. If this is your case it looks like there is a disconnect between how the IPA KDC and SSSD determine the group memberships for the given user. To investigate this issue further it would be nice if you can share some details about your environment, especially which SSSD and IPA versions are used on the client and the server and how the external group membership is defined on the IPA server. bye, SumitKind regards, Winny |
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project