[Freeipa-users] Group membership not populated

Darren Poulson darren.poulson at genesys.com
Fri Nov 14 12:10:59 UTC 2014 

Hi,

I'm currently having an issue where if I log in as a user on a freshly rebooted machine, their group membership is not populated, so things like sudo do not work properly. If I do a getent group <group>, log out and log back in again, then it works properly.

for example

-sh-4.1$ groups dpoulson
dpoulson : dpoulson ops_admins helpdesk
-sh-4.1$ getent group ops_users
ops_users:*:50130:dpoulson,anotheruser,andanother,etc
-sh-4.1$ groups dpoulson
dpoulson : dpoulson ops_admins helpdesk ops_users
-sh-4.1$ groups
dpoulson ops_admins helpdesk

<logout/login>

-sh-4.1$ groups
dpoulson helpdesk ops_admins ops_users

(the user is actually meant to be a member of 6 groups)

Client and server machines are all fresh installs of CentOS 6.6, running:

ipa-server-3.0.0-42.el6.centos.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64

All config files I've checked are identical (/etc/nsswitch.conf, /etc/sssd/sssd.conf, /etc/sudo-ldap.conf) - any more I should check? Tho that being said, they were all kickstarted from the same image with the same chef recipes.

/etc/sssd/sssd.conf:

[domain/bur.us.genops]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = bur.us.genops
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = pwm1-01.bur.us.genops
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, freeipa1-01.bur.us.genops
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 8

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = bur.us.genops
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]




/etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

sudoers: files sss


Any ideas where to start looking?

Thanks,

Darren.

More information about the Freeipa-users mailing list