On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > Hello, > > I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with > strange behavior. Some examples include: > > - Trust user's home directory sporadically getting set to '/' instead of > /home/domain/user > - Trust user losing HBAC privileges (granted via group membership) > - Trust user losing sudo privileges (granted via group membership) > - OS logging that trust user's account has expired when it hasn't > > I'm currently unable to predict/reproduce occurrences of these issues. I can > say that they aren't tied to a specific user or host. For example, a user > will login to a host without any issues and then later that same user's home > directory (as reported by getent) will suddenly be set to / instead of > /home/... > > My first step, of course, is to gather logs. Should I be focusing on the > SSSD on the client or on the IPA servers? I'm not entirely clear how/where > lots of this data get assigned/queried. > > My other question is if there is a way to pin down a client to [temporarily] > use a specific IPA server and specific AD server (even if it means a firewall > rule that only allows the host to communicate with one IPA and one AD host).
Normally time-correlated logs from both the server's domain and nss sections of sssd.conf and the client's domain section are a good start. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project