[Freeipa-users] Users not inheriting groups

Jakub Hrozek jhrozek at redhat.com
Mon Aug 4 07:57:18 UTC 2014 

On Mon, Aug 04, 2014 at 09:18:11AM +0200, Jakub Hrozek wrote:
> On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > Thanks for your help,
> > 
> > The group memberships are propagated properly on the server side:
> > 
> >   dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org
> >   uid: user
> >   givenname: userfn
> >   sn: userln
> >   cn: userfn userln
> >   displayname: userfn userln
> >   initials: uu
> >   homedirectory: /home/user
> >   gecos: userfn userln
> >   loginshell: /bin/bash
> >   krbprincipalname: user at ORG.ORG
> >   mail: user at cenic.org
> >   uidnumber: 1080
> >   gidnumber: 1080
> >   nsaccountlock: False
> >   has_password: True
> >   has_keytab: True
> >   ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50
> >   krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA==
> >   krblastfailedauth: 20140731220341Z
> >   krblastpwdchange: 20140724210440Z
> >   krblastsuccessfulauth: 20140731223953Z
> >   krbloginfailedcount: 0
> >   krbpasswordexpiration: 20141022210440Z
> >   krbpwdpolicyreference:
> > cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org
> >   memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org
> >   memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org
> >   memberof:
> > cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org
> >   memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org
> >   memberofindirect:
> > ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org
> >   memberofindirect:
> > ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org
> >   memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org
> >   memberofindirect:
> > cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org
> >   memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org
> >   memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org
> >   mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org
> >   objectclass: top
> >   objectclass: person
> >   objectclass: organizationalperson
> >   objectclass: inetorgperson
> >   objectclass: inetuser
> >   objectclass: posixaccount
> >   objectclass: krbprincipalaux
> >   objectclass: krbticketpolicyaux
> >   objectclass: ipaobject
> >   objectclass: ipasshuser
> >   objectclass: ipaSshGroupOfPubKeys
> >   objectclass: mepOriginEntry
> > 
> > This has been scrubbed, the group that is not being seen on the client
> > side is the rancid group, which is showing up here.
> 
> OK, then we know we're looking at a client side problem.
> 
> Can you:
>     1) service sssd stop
>     2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss]
>     and [domain] sections
>     3) service sssd start
>     4) sss_cache -UG
>     5) id -G $username
> 
> Then attach the logs found at /var/log/sssd/sssd_$domain.log
> 
> If you feel the logs are too sensitive for a mailing list, you can
> send them directly to me and CC: pbrezina -at- redhat -dot- com

btw do all the groups have a POSIX ID ? We currently have a bug in SSSD
where we don't resolve non-POSIX groups correctly.

More information about the Freeipa-users mailing list