[Freeipa-users] Inconsistent group memberships in sssd

Jakub Hrozek jhrozek at redhat.com
Fri Oct 24 07:51:41 UTC 2014

On Thu, Oct 23, 2014 at 05:19:38PM -0700, Michael Lasevich wrote:
> Small update, it appears that once I run "getent group <groupname>" - my
> user shows up in the group <groupname>. Odd.
> (and yes, I have ran "sss_cache -UG" many a time)
> -M

One particular change in IPA 4.x that might be giving old clients
headache is the new permission system. Only clean installs or replicas
of 6.6 (or newer) servers are guaranteed to work with old clients.

How was your IPA 4.0.3 server installed? What is the 389-ds-base version
you're running?

Any chance you can try a newer SSSD on your CentOS6 client? I have a
COPR repo with the latest 1.11 branch here:

More information about the Freeipa-users mailing list