[Freeipa-users] AD group members
Sumit Bose
sbose at redhat.com
Tue Dec 15 08:59:04 UTC 2015
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
> Using an EL7 client, lot's of times the IPA (posix) groups are missing,
> or partly missing. Doing some debugging, sssd_pac.log shows:
>
> (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is not in the PAC anymore, membership must be removed.
> (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is not in the PAC anymore, membership must be removed.
>
> These sids are the groups I am missing. What is happening here???
Originally the PAC was the only source for the group-membership data for
users coming from AD. To be able to be a member of IPA groups the IPA
KDC added SIDs of IPA groups the AD user is a member of.
With EL7.1 SSSD is able to read group-membership data on its own if the
IPA server is running on 7.1 or newer as well. If this is your case it
looks like there is a disconnect between how the IPA KDC and SSSD
determine the group memberships for the given user.
To investigate this issue further it would be nice if you can share some
details about your environment, especially which SSSD and IPA versions
are used on the client and the server and how the external group
membership is defined on the IPA server.
bye,
Sumit
>
> Kind regards,
>
> Winny
More information about the Freeipa-users
mailing list