On 18 August 2017 at 17:33, Jakub Hrozek <jhro...@redhat.com> wrote: > On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote: > > We use FreeIPA/SSSD to authenticate our RStudio Server, which we control > > via HBAC membership of an AD group. > ... > > 1. Why is the group override not working and how can I get it working or > > change our set up so that it does work > > Could you please describe how you set up the group membership with the > override so that we could set up a similar environment locally? >
Users that are allowed to use the system belong to an AD group called bioinf_rstudio In IPA (Centos 7.3, IPA v 4.4.0.14.el7 API: 2.213) there is - an external group called ad_rstudio, with an external member, bioinf_rstudio@<ad-domain> - a posix group called rstudio that has the external group ad_rstudio as a user group member - it has a single HBAC rule associated, called rstudio_access - rstudio_access allows users in the (posix) rstudio group access to the single server rstudio@<unix-domain> with the services login, rstudio and sshd. The rstudio services has nothing else going on - it's just a label. On the rstudio@<unix-domain> server we have a single file called /etc/pam.d/rstudio which contains #%PAM-1.0 auth required pam_sss.so account required pam_sss.so > 2. If this is because users's are being timed out of the sss db cache > > (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh > to a > > much much longer period? > > During login, the group membership should always be fetched again from > the server, so the cache should effectively be ignored, precisely so that > we want the group membership to be very precise during login. The only > additional cache might be the sssd cache for the AD domain data, because > the identity data of the AD users are fetched from the IPA server. > > But unless your group memberships or overrides are changing a lot, this > shouldn't be an issue. > Hmmm. Weird. We are still seeing the "AD group not reflected in cache" problem and am not seeing evidence of SSSD updating from the IPA server on request (via login from other machine, via id command). We have debug_level = 7 in [pam] and [domain/loremipsum], I have now added to [sssd] and [ssh] and will restart. Is there anything I should be looking out for? We are using sssd 1.15.3 from COPR for Centos 7.3 cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
