Using an EL7 client, lot's of times the IPA
(posix) groups are missing, or partly missing. Doing some
debugging, sssd_pac.log shows:
(Mon Dec 14 17:19:08 2015)
[sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID
[S-1-5-21-1802245919-297953600
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
> Using an EL7 client, lot's of times the IPA (posix) groups are missing,
> or partly missing. Doing some debugging, sssd_pac.log shows:
>
> (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000):
> Group with SID
Hi all,
Even more strange, logging in using SSH public/private keys the
problem disappears and all groups are available!
Strange.?!
RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December
11
RHEL 7.2 with sssd 1.13.0
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Even more strange, logging in using SSH public/private keys the problem
> disappears and all groups are available!
>
> Strange.?!
this is expected, because if you use SSH keys no PAC is involved and hence the
PAC
Hi all,
OK, using keys no pac responder is used.
No, both sssd-1.12 and sssd-1.13 using password login secondary
groups are missing. This particular user is member of 3 Posix
groups (by using external groups) Only the first one (it seems the
fi
Hi,
If PAC is not being used using key, how is group membership
determined?
Also: it feels like the Linux client is contacting AD to obtain a
Kerberos ticket and not the IPA-server. (for AD users). Is that
true?
Winny
Op 1
- Original Message -
> Hi,
>
> If PAC is not being used using key, how is group membership determined?
By asking IPA master to give list of groups AD user belongs to.
The complexity of this process makes it hard to have full list of groups
available in advance in all cases.
MS-PAC recor
On Tue, Dec 15, 2015 at 11:38:08AM -0500, Alexander Bokovoy wrote:
>
>
> - Original Message -
> > Hi,
> >
> > If PAC is not being used using key, how is group membership determined?
> By asking IPA master to give list of groups AD user belongs to.
> The complexity of this process makes i
Hi all,
Adding AD-users to an IPA external group seems to be problematic.
However, adding AD-groups (with AD-users as members) to a IPA
external groups seems to work well. Four group were created and
all are shown.
Smell a bit like a bug, does'
On Wed, Dec 16, 2015 at 09:46:37AM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Adding AD-users to an IPA external group seems to be problematic. However,
> adding AD-groups (with AD-users as members) to a IPA external groups seems to
> work well. Four group were created and all are shown.
Than
Hi all,
I changed the group names so the alpabetical order changes, no
effect. However, sorting the corresponding SID's, the first SID
belongs to the group always shown.
Mmmm, only the first one is taken and the rest is thrown out...?
Ch
11 matches
Mail list logo
