[Freeipa-users] Users not inheriting groups
Jakub Hrozek
jhrozek at redhat.com
Mon Aug 4 07:57:18 UTC 2014
On Mon, Aug 04, 2014 at 09:18:11AM +0200, Jakub Hrozek wrote:
> On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Thanks for your help,
> >
> > The group memberships are propagated properly on the server side:
> >
> > dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org
> > uid: user
> > givenname: userfn
> > sn: userln
> > cn: userfn userln
> > displayname: userfn userln
> > initials: uu
> > homedirectory: /home/user
> > gecos: userfn userln
> > loginshell: /bin/bash
> > krbprincipalname: user at ORG.ORG
> > mail: user at cenic.org
> > uidnumber: 1080
> > gidnumber: 1080
> > nsaccountlock: False
> > has_password: True
> > has_keytab: True
> > ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50
> > krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA==
> > krblastfailedauth: 20140731220341Z
> > krblastpwdchange: 20140724210440Z
> > krblastsuccessfulauth: 20140731223953Z
> > krbloginfailedcount: 0
> > krbpasswordexpiration: 20141022210440Z
> > krbpwdpolicyreference:
> > cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org
> > memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org
> > memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org
> > memberof:
> > cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org
> > memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org
> > memberofindirect:
> > ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org
> > memberofindirect:
> > ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org
> > memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org
> > memberofindirect:
> > cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org
> > memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org
> > memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org
> > mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org
> > objectclass: top
> > objectclass: person
> > objectclass: organizationalperson
> > objectclass: inetorgperson
> > objectclass: inetuser
> > objectclass: posixaccount
> > objectclass: krbprincipalaux
> > objectclass: krbticketpolicyaux
> > objectclass: ipaobject
> > objectclass: ipasshuser
> > objectclass: ipaSshGroupOfPubKeys
> > objectclass: mepOriginEntry
> >
> > This has been scrubbed, the group that is not being seen on the client
> > side is the rancid group, which is showing up here.
>
> OK, then we know we're looking at a client side problem.
>
> Can you:
> 1) service sssd stop
> 2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss]
> and [domain] sections
> 3) service sssd start
> 4) sss_cache -UG
> 5) id -G $username
>
> Then attach the logs found at /var/log/sssd/sssd_$domain.log
>
> If you feel the logs are too sensitive for a mailing list, you can
> send them directly to me and CC: pbrezina -at- redhat -dot- com
btw do all the groups have a POSIX ID ? We currently have a bug in SSSD
where we don't resolve non-POSIX groups correctly.
More information about the Freeipa-users
mailing list