[Freeipa-users] Problems with users from AD trusted domain after update to IPA 4.1

[Alexander Bokovoy]

On Wed, 22 Apr 2015, Alexander Frolushkin wrote:
>Hello.
>Not sure it happened after update, but now we are on 4.1 and on some
>servers we have only AD groups if it is primary for user, and have no
>IPA groups with AD external group in members.  Fro example, on the IPA
>server we have
># id afrolushkin at ad.com
>uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com)
>groups=236658172(afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com)<mailto:afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com)>
>here group
>236658193(sib-dwh-sa-admins at ad.com<mailto:sib-dwh-sa-admins at ad.com>)
>have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary
>for user.  Group, primary for this user -
>236667642(rhidm-sa-admins at ad.com<mailto:rhidm-sa-admins at ad.com>) also
>have IPA group, but it is not displayed in id command.
>On some other servers (IPA clients) it displays ONLY AD groups:
># id afrolushkin at megafon.ru
>uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com)
>groups=236658172(afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com)<mailto:afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com)>
>
>This is a big problem for us, because on that servers we cannot use
>HBAC & sudo, also we don't think primary AD group is a exception and
>cannot be used in IPA authorization.
If it is a big problem, make sure you are gathering all the logs and
deployment information first to pin point what exactly you are running.

See https://fedorahosted.org/sssd/wiki/Troubleshooting for general SSSD
troubleshooting.

-- 
/ Alexander Bokovoy