On Mon, Aug 21, 2017 at 10:24:50AM +1000, Lachlan Musicman wrote: > On 18 August 2017 at 17:33, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote: > > > We use FreeIPA/SSSD to authenticate our RStudio Server, which we control > > > via HBAC membership of an AD group. > > ... > > > 1. Why is the group override not working and how can I get it working or > > > change our set up so that it does work > > > > Could you please describe how you set up the group membership with the > > override so that we could set up a similar environment locally? > > > > > Users that are allowed to use the system belong to an AD group called > bioinf_rstudio > > In IPA (Centos 7.3, IPA v 4.4.0.14.el7 API: 2.213) there is > > - an external group called ad_rstudio, with an external member, > bioinf_rstudio@<ad-domain> > - a posix group called rstudio that has the external group ad_rstudio as a > user group member > - it has a single HBAC rule associated, called rstudio_access > > - rstudio_access allows users in the (posix) rstudio group access to the > single server rstudio@<unix-domain> with the services login, rstudio and > sshd. > > The rstudio services has nothing else going on - it's just a label. > > On the rstudio@<unix-domain> server we have a single file called > /etc/pam.d/rstudio which contains > > #%PAM-1.0 > auth required pam_sss.so > > account required pam_sss.so > > > > 2. If this is because users's are being timed out of the sss db cache > > > (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh > > to a > > > much much longer period? > > > > During login, the group membership should always be fetched again from > > the server, so the cache should effectively be ignored, precisely so that > > we want the group membership to be very precise during login. The only > > additional cache might be the sssd cache for the AD domain data, because > > the identity data of the AD users are fetched from the IPA server. > > > > But unless your group memberships or overrides are changing a lot, this > > shouldn't be an issue. > > > > > Hmmm. Weird. We are still seeing the "AD group not reflected in cache" > problem and am not seeing evidence of SSSD updating from the IPA server on > request (via login from other machine, via id command). > > We have debug_level = 7 in [pam] and [domain/loremipsum], I have now added > to [sssd] and [ssh] and will restart. > > Is there anything I should be looking out for?
The only other thing I can think of is the group scope. Please make sure the group is not domain-local, other scopes will do. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
