On (14/07/16 11:26), Tomas Simecek wrote: >Hi Lukas, >we have Active Directory group "UnixAdmins" >. >We have IPA external group ad_admins_external ><https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has >Windows "UnixAdmins" group as a member. >We have local IPA group grpunixadmins ><https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has >ad_admins_external group as a member. >So from that perspective user simecek.to...@sd-stc.cz is a member of >grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>. >That setup works for ssh logins and for sudo on Centos 7.0. > If user is member of group in IPA it does not mean that it's properly propagated to client :-)
I can see few errors in log >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >object](32)[ldb_wait: No such object (32)] >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_update_members_ex] (0x0020): Could not add member [ >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[ipa_s2n_save_objects] (0x2000): Updating memberships for >simecek.to...@sd-stc.cz >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >object](32)[ldb_wait: No such object (32)] >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_update_members_ex] (0x0020): Could not add member [ >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. Please test with id simecek.to...@sd-stc.cz. I'm preatty sure that you will not see a group grpunixadmins. BTW according to domain logs it looks like a bug with extop plugin on freeipa server. I assume that ipa server is on CentOS 7.0 because you mention it works on Centos 7.0. I would strongly recommend to upgrade server to 7.2 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project