[Freeipa-users] HBAC access denied, all AD groups not detected
Jakub Hrozek
jhrozek at redhat.com
Mon Dec 7 08:59:22 UTC 2015
On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote:
> Hello,
>
> We are having a problem with HBAC that appears to be related to group
> membership lookup. I am testing with a new install on RHEL 7.2 with a
> cross-forest trust with AD. When an AD user attempts to log into a client
> (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a different
> number of groups each time and never seems to contain the full list.
> For the testing account, running the 'id' command returns 153 groups.
> The ipa group "ad_admin" has setup to be able to log in anywhere, everyone
> else is denied. With the default allow_all rule enabled, everything works
> as expected. Any ideas on where I can look next?
I assume the group membership is OK on the server, but not the client? Can
you enable debugging and also include the full logs from the client after
doing sss_cache -E on the client?
More information about the Freeipa-users
mailing list