[Freeipa-users] AD group members

Sumit Bose sbose at redhat.com
Tue Dec 15 15:19:33 UTC 2015 

On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Even more strange, logging in using SSH public/private keys the problem
> disappears and all groups are available!
>
> Strange.....?!

this is expected, because if you use SSH keys no PAC is involved and hence the
PAC responder cannot remove group-memberships which are not listed in the PAC.

>
> RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December 11
> RHEL 7.2 with sssd 1.13.0-40 as an IPA client
> RHEL 6.7 with sssd 1.12.4-47 as an IPA client

Do I understand correctly that with 1.12.4-47 the groups are always
correct while with 1.13.0-40 the groups are missing when not using SSH
keys?

bye,
Sumit

>
> Winny
>
> Op 15-12-15 om 09:59 schreef Sumit Bose:
>
>     On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
>
>         Using an EL7 client, lot's of times the IPA (posix) groups are missing,
>         or partly missing. Doing some debugging, sssd_pac.log shows:
>
>         (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is not in the PAC anymore, membership must be removed.
>         (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is not in the PAC anymore, membership must be removed.
>
>         These sids are the groups I am missing. What is happening here???
>
>     Originally the PAC was the only source for the group-membership data for
>     users coming from AD. To be able to be a member of IPA groups the IPA
>     KDC added SIDs of IPA groups the AD user is a member of.
>
>     With EL7.1 SSSD is able to read group-membership data on its own if the
>     IPA server is running on 7.1 or newer as well. If this is your case it
>     looks like there is a disconnect between how the IPA KDC and SSSD
>     determine the group memberships for the given user.
>
>     To investigate this issue further it would be nice if you can share some
>     details about your environment, especially which SSSD and IPA versions
>     are used on the client and the server and how the external group
>     membership is defined on the IPA server.
>
>     bye,
>     Sumit
>
>
>         Kind regards,
>
>         Winny
>

More information about the Freeipa-users mailing list