On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote: > We use FreeIPA/SSSD to authenticate our RStudio Server, which we control > via HBAC membership of an AD group. > > Our users are having their sessions ended frequently - once a day or more - > with the logged message > > 17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be > authenticated because they do not belong to one of the required groups > (rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const > std::string&, const std::string&, unsigned int, bool) > /root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103 > > Most likely this is partially because RStudio server is overly aggressive, > but I am also noticing that their log is telling the truth: > > id <user>@<domain> > > is not returning the full membership set of the user - in particular the > user group overrides are not being registered. IE, I can see that <user> is > in the appropriate AD group, but the IPA group that overrides it isn't > being reported. > > And hence the user is getting booted. > > So, two questions: > > 1. Why is the group override not working and how can I get it working or > change our set up so that it does work
Could you please describe how you set up the group membership with the override so that we could set up a similar environment locally? > > 2. If this is because users's are being timed out of the sss db cache > (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a > much much longer period? During login, the group membership should always be fetched again from the server, so the cache should effectively be ignored, precisely so that we want the group membership to be very precise during login. The only additional cache might be the sssd cache for the AD domain data, because the identity data of the AD users are fetched from the IPA server. But unless your group memberships or overrides are changing a lot, this shouldn't be an issue. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
