[Freeipa-users] IPA clients doesn't see all user's group

Vitaly linux at karasik.org
Wed Jul 31 12:27:41 UTC 2013 

Jakub, many thanks!

>Interesting, can you run ipa user-show --all --raw myuser and check if
>all three groups are visible as values of the "memberof" attribute? I
>suspect they will..
Yes, all 3 groups are visible

>If they do, can you then put debug_level=7 to the [domain] section of
>sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd

As far as I see  for problematic group3

........
(Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]]
[sdap_initgr_nested_search] (2): Search for group
cn=group3,cn=groups,cn=accounts,
,dc=example,dc=com, returned 0 results. Skipping
.......

So I tried on my IPA client "getent  group group2/3" -  there is an
answer for group2, but not for group3. Interesting...
In IPA server "ipa group-show group2/3 "  show similar output for both
groups, including members.




Jakub, if you agree, I'll send you log to your email, I prefer do not
post it to the list.

On Wed, Jul 31, 2013 at 2:57 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote:
>> >What exact SSSD version is this?
>> 1.5.1-58.el5 and 1.5.1-66.el6_2.3
>
> The .el5 version looks OK to me, but you should really upgrade from
> 6.2..
>
>>
>> >Was user added to group3 recently so that the cache might have stale records?
>> Originally it was "old" group; after that I added some new group - the
>> same problem.
>> I restarted sssd with removing its cache - didn't help.
>>
>
> Ah, OK, thank you for verifying this.
>
>> >Do you see the same problem on both RHEL5 and RHEL6 clients?
>> yes
>>
>
> Interesting, can you run ipa user-show --all --raw myuser and check if
> all three groups are visible as values of the "memberof" attribute? I
> suspect they will..
>
> If they do, can you then put debug_level=7 to the [domain] section of
> sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd
> ?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list