[Freeipa-users] Users not inheriting groups
Jakub Hrozek
jhrozek at redhat.com
Mon Aug 4 07:18:11 UTC 2014
On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Thanks for your help,
>
> The group memberships are propagated properly on the server side:
>
> dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org
> uid: user
> givenname: userfn
> sn: userln
> cn: userfn userln
> displayname: userfn userln
> initials: uu
> homedirectory: /home/user
> gecos: userfn userln
> loginshell: /bin/bash
> krbprincipalname: user at ORG.ORG
> mail: user at cenic.org
> uidnumber: 1080
> gidnumber: 1080
> nsaccountlock: False
> has_password: True
> has_keytab: True
> ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50
> krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA==
> krblastfailedauth: 20140731220341Z
> krblastpwdchange: 20140724210440Z
> krblastsuccessfulauth: 20140731223953Z
> krbloginfailedcount: 0
> krbpasswordexpiration: 20141022210440Z
> krbpwdpolicyreference:
> cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org
> memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org
> memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org
> memberof:
> cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org
> memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org
> memberofindirect:
> ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org
> memberofindirect:
> ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org
> memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org
> memberofindirect:
> cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org
> memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org
> memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org
> mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org
> objectclass: top
> objectclass: person
> objectclass: organizationalperson
> objectclass: inetorgperson
> objectclass: inetuser
> objectclass: posixaccount
> objectclass: krbprincipalaux
> objectclass: krbticketpolicyaux
> objectclass: ipaobject
> objectclass: ipasshuser
> objectclass: ipaSshGroupOfPubKeys
> objectclass: mepOriginEntry
>
> This has been scrubbed, the group that is not being seen on the client
> side is the rancid group, which is showing up here.
OK, then we know we're looking at a client side problem.
Can you:
1) service sssd stop
2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss]
and [domain] sections
3) service sssd start
4) sss_cache -UG
5) id -G $username
Then attach the logs found at /var/log/sssd/sssd_$domain.log
If you feel the logs are too sensitive for a mailing list, you can
send them directly to me and CC: pbrezina -at- redhat -dot- com
More information about the Freeipa-users
mailing list