FWIW, We are seeing the issues that are described here:
https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html I was about to write when I found this, it explains exactly what I am seeing - right down to the "impossible to reproduce because it's so (seemingly) random". I am about to read up on the SSSD trouble shooting in order to up the logs &etc, but here is some output I can share - note that this all happened in ~5 minutes. As you can see, clearing the cache has various unpredictable effects. Both users should return the same list of groups. This was performed on a FreeIPA client. [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) [root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) [root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) [root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) [root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10011(facs-comp...@unix.petermac.org.au) 10004(bioinf-c...@unix.petermac.org.au) 10005(rcf-st...@unix.petermac.org.au) [root@emts-facs ~]# systemctl stop sssd [root@emts-facs ~]# rm -rf /var/lib/sss/db/* [root@emts-facs ~]# systemctl start sssd [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) [root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) [root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) [root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 us...@petermac.org.au) 10007(cluster-u...@unix.petermac.org.au) Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
