[Freeipa-users] FreeIPA groups not shown on client
Nikola Kržalić
nikola at krzalic.com
Sat Jun 20 18:35:24 UTC 2015
Just in case somebody is still struggling with this... On ubuntu 14.04
I had to set enumerate option to true in sssd.conf to make this work.
On Fri, May 22, 2015 at 6:28 PM, Christoph Kaminski
<christoph.kaminski at biotronik.com> wrote:
> freeipa-users-bounces at redhat.com schrieb am 22.05.2015 09:37:04:
>
>> Von: Nikola Kržalić <nikola at krzalic.com>
>> An: freeipa-users at redhat.com
>> Datum: 22.05.2015 15:05
>> Betreff: [Freeipa-users] FreeIPA groups not shown on client
>> Gesendet von: freeipa-users-bounces at redhat.com
>>
>> I have a ubuntu system running IPA client. I am able to log in via ssh
>> using IPA users, but I do not get any group memberships or sudo rules.
>> Same configuration works on a different system (running CentOS).
>>
>> sssd domain log output shows that the groups are retrieved from server
>> successfully:
>>
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [ipausers] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [editors] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [trust admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [devops_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [dev_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [sys_team] for user [nkrzalic]
>>
>> However, these groups are not shown on the user upon login:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic)
>>
>> I tried cleaning sssd cache but that didn't help.
>>
>> sssd conf is as follows:
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> nsswitch.conf seems to be correct as well:
>>
>> # /etc/nsswitch.conf
>>
>> passwd: compat sss
>> group: compat sss
>> shadow: compat
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis sss
>> sudoers: files sss
>>
>> Interestingly after I do "getent group devops_team" this group shows up:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>> groups=281200051(nkrzalic),281200001(devops_team)
>> nkrzalic at ircsrv1:~$
>>
>>
>> Any ideas?
>>
>>
>
> try to kill the cache with:
> (stop sssd) rm -rf /var/lib/sss/db/* (start sssd)
>
> we has had the same problems often here and only really kill the cache has
> fixed it (sss_cache -A hasnt help)
>
> Greetz
> Christoph Kaminski
>
>
--
S poštovanjem / Regards,
Nikola Kržalić.
More information about the Freeipa-users
mailing list