[Freeipa-users] Users not inheriting groups

Jakub Hrozek jhrozek at redhat.com
Mon Aug 4 07:18:11 UTC 2014 

On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Thanks for your help,
> 
> The group memberships are propagated properly on the server side:
> 
>   dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org
>   uid: user
>   givenname: userfn
>   sn: userln
>   cn: userfn userln
>   displayname: userfn userln
>   initials: uu
>   homedirectory: /home/user
>   gecos: userfn userln
>   loginshell: /bin/bash
>   krbprincipalname: user at ORG.ORG
>   mail: user at cenic.org
>   uidnumber: 1080
>   gidnumber: 1080
>   nsaccountlock: False
>   has_password: True
>   has_keytab: True
>   ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50
>   krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA==
>   krblastfailedauth: 20140731220341Z
>   krblastpwdchange: 20140724210440Z
>   krblastsuccessfulauth: 20140731223953Z
>   krbloginfailedcount: 0
>   krbpasswordexpiration: 20141022210440Z
>   krbpwdpolicyreference:
> cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org
>   memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org
>   memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org
>   memberof:
> cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org
>   memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org
>   memberofindirect:
> ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org
>   memberofindirect:
> ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org
>   memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org
>   memberofindirect:
> cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org
>   memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org
>   memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org
>   mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org
>   objectclass: top
>   objectclass: person
>   objectclass: organizationalperson
>   objectclass: inetorgperson
>   objectclass: inetuser
>   objectclass: posixaccount
>   objectclass: krbprincipalaux
>   objectclass: krbticketpolicyaux
>   objectclass: ipaobject
>   objectclass: ipasshuser
>   objectclass: ipaSshGroupOfPubKeys
>   objectclass: mepOriginEntry
> 
> This has been scrubbed, the group that is not being seen on the client
> side is the rancid group, which is showing up here.

OK, then we know we're looking at a client side problem.

Can you:
    1) service sssd stop
    2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss]
    and [domain] sections
    3) service sssd start
    4) sss_cache -UG
    5) id -G $username

Then attach the logs found at /var/log/sssd/sssd_$domain.log

If you feel the logs are too sensitive for a mailing list, you can
send them directly to me and CC: pbrezina -at- redhat -dot- com

More information about the Freeipa-users mailing list