[Freeipa-users] Group membership not populated
Darren Poulson
darren.poulson at genesys.com
Fri Nov 14 12:10:59 UTC 2014
Hi,
I'm currently having an issue where if I log in as a user on a freshly rebooted machine, their group membership is not populated, so things like sudo do not work properly. If I do a getent group <group>, log out and log back in again, then it works properly.
for example
-sh-4.1$ groups dpoulson
dpoulson : dpoulson ops_admins helpdesk
-sh-4.1$ getent group ops_users
ops_users:*:50130:dpoulson,anotheruser,andanother,etc
-sh-4.1$ groups dpoulson
dpoulson : dpoulson ops_admins helpdesk ops_users
-sh-4.1$ groups
dpoulson ops_admins helpdesk
<logout/login>
-sh-4.1$ groups
dpoulson helpdesk ops_admins ops_users
(the user is actually meant to be a member of 6 groups)
Client and server machines are all fresh installs of CentOS 6.6, running:
ipa-server-3.0.0-42.el6.centos.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
All config files I've checked are identical (/etc/nsswitch.conf, /etc/sssd/sssd.conf, /etc/sudo-ldap.conf) - any more I should check? Tho that being said, they were all kickstarted from the same image with the same chef recipes.
/etc/sssd/sssd.conf:
[domain/bur.us.genops]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = bur.us.genops
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = pwm1-01.bur.us.genops
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, freeipa1-01.bur.us.genops
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 8
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = bur.us.genops
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
/etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
Any ideas where to start looking?
Thanks,
Darren.
More information about the Freeipa-users
mailing list