<div dir="ltr"><div><div><div><div>FWIW,<br><br>We are seeing the issues that are described here:<br><br><a href="https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html">https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html</a><br><br></div>I was about to write when I found this, it explains exactly what I am seeing - right down to the "impossible to reproduce because it's so (seemingly) random".<br><br><br></div>I am about to read up on the SSSD trouble shooting in order to up the logs &etc, but here is some output I can share - note that this all happened in ~5 minutes. As you can see, clearing the cache has various unpredictable effects. Both users should return the same list of groups. This was performed on a FreeIPA client.<br><br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd<br>[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10011(<a href="mailto:facs-compute@unix.petermac.org.au">facs-compute@unix.petermac.org.au</a>)<br>10004(<a href="mailto:bioinf-core@unix.petermac.org.au">bioinf-core@unix.petermac.org.au</a>)<br>10005(<a href="mailto:rcf-staff@unix.petermac.org.au">rcf-staff@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# systemctl stop sssd<br>[root@emts-facs ~]# rm -rf /var/lib/sss/db/*<br>[root@emts-facs ~]# systemctl start sssd<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br>[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd<br>[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10<br>1750673801(external - exchange 2010 <a href="mailto:users@petermac.org.au">users@petermac.org.au</a>)<br>10007(<a href="mailto:cluster-user@unix.petermac.org.au">cluster-user@unix.petermac.org.au</a>)<br><br><br><br></div>Cheers<br></div>L.<br><div><div><br><div><br><div><br><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>------<br>The most dangerous phrase in the language is, "We've always done it this way."<br><br>- Grace Hopper<br></div></div></div></div>
</div></div></div></div></div>