[Freeipa-users] Inconsistent group memberships in sssd
Jakub Hrozek
jhrozek at redhat.com
Mon Oct 27 13:14:53 UTC 2014
On Fri, Oct 24, 2014 at 09:51:41AM +0200, Jakub Hrozek wrote:
> On Thu, Oct 23, 2014 at 05:19:38PM -0700, Michael Lasevich wrote:
> > Small update, it appears that once I run "getent group <groupname>" - my
> > user shows up in the group <groupname>. Odd.
> >
> > (and yes, I have ran "sss_cache -UG" many a time)
> >
> > -M
>
> One particular change in IPA 4.x that might be giving old clients
> headache is the new permission system. Only clean installs or replicas
> of 6.6 (or newer) servers are guaranteed to work with old clients.
>
> How was your IPA 4.0.3 server installed? What is the 389-ds-base version
> you're running?
>
> Any chance you can try a newer SSSD on your CentOS6 client? I have a
> COPR repo with the latest 1.11 branch here:
> http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/SSSD-1.11-RHEL6/
I should have been clearer in my previous response. We /do not/ require
old clients to be upgraded in order to work with a newer server. We care
about backwards compatibility.
However, some changes in the new permissions system require an existing
RHEL-6 IPA 3.x server that should be replicated onto a IPA 4.x server is
first upgraded to RHEL-6.6, especially the 389-ds component.
Clean installs of new servers are fine. Sorry for the confustion.
More information about the Freeipa-users
mailing list