[Freeipa-users] FreeIPA groups not shown on client

Nikola Kržalić nikola at krzalic.com
Sat Jun 20 18:35:24 UTC 2015 

Just in case somebody is still struggling with this... On ubuntu 14.04
I had to set enumerate option to true in sssd.conf to make this work.

On Fri, May 22, 2015 at 6:28 PM, Christoph Kaminski
<christoph.kaminski at biotronik.com> wrote:
> freeipa-users-bounces at redhat.com schrieb am 22.05.2015 09:37:04:
>
>> Von: Nikola Kržalić <nikola at krzalic.com>
>> An: freeipa-users at redhat.com
>> Datum: 22.05.2015 15:05
>> Betreff: [Freeipa-users] FreeIPA groups not shown on client
>> Gesendet von: freeipa-users-bounces at redhat.com
>>
>> I have a ubuntu system running IPA client. I am able to log in via ssh
>> using IPA users, but I do not get any group memberships or sudo rules.
>> Same configuration works on a different system (running CentOS).
>>
>> sssd domain log output shows that the groups are retrieved from server
>> successfully:
>>
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [ipausers] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [editors] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [trust admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [devops_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [dev_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [sys_team] for user [nkrzalic]
>>
>> However, these groups are not shown on the user upon login:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic)
>>
>> I tried cleaning sssd cache but that didn't help.
>>
>> sssd conf is as follows:
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> nsswitch.conf seems to be correct as well:
>>
>> # /etc/nsswitch.conf
>>
>> passwd:         compat sss
>> group:          compat sss
>> shadow:         compat
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis sss
>> sudoers:        files sss
>>
>> Interestingly after I do "getent group devops_team" this group shows up:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>> groups=281200051(nkrzalic),281200001(devops_team)
>> nkrzalic at ircsrv1:~$
>>
>>
>> Any ideas?
>>
>>
>
> try to kill the cache with:
> (stop sssd) rm -rf /var/lib/sss/db/* (start sssd)
>
> we has had the same problems often here and only really kill the cache has
> fixed it (sss_cache -A hasnt help)
>
> Greetz
> Christoph Kaminski
>
>



-- 
S poštovanjem / Regards,

Nikola Kržalić.

More information about the Freeipa-users mailing list