[Freeipa-users] issues with secondary groups? (sssd)
Jakub Hrozek
jhrozek at redhat.com
Mon Mar 2 09:12:39 UTC 2015
On Sat, Feb 28, 2015 at 11:07:20AM -0800, Janelle wrote:
> Hello,
>
> I was wondering - I have searched around and seen a few questions and
> solutions, but nothing I try is fixing my environment.
>
> Things have been working quite well with IPA 4.0.5, simple things with auth
> and logins - some with full ipa-client-install configured, others just using
> LDAP and that is where the strangeness comes from.
>
> with full IPA client integration, secondary groups work just find, as do
> base commands like "id" and "getent". However, the "ldap" users, never show
> the secondary group for their uid?
>
> Any pointers you might suggest? I have tried the sssd.conf of
> "ldap_group_member = uniqeMember" - no change.
>
> a simple secondary group is defined:
>
> dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
> cn: web_users
> objectClass: ipaobject
> objectClass: extensibleobject
> objectClass: top
> objectClass: ipausergroup
> objectClass: posixgroup
> objectClass: groupofnames
> objectClass: nestedgroup
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
> member: uid=user5,cn=users,cn=accounts,dc=example,dc=com
>
> and yet with debug_level = 7 -- sssd still says:
> [sdap_process_ghost_members] (0x0400): Group has 0 members
Was the client installed with ipa-client-install? There I would suggest
to just use the defaults and everything should work.
Can you try again, this time with default configuration of
id_provider=ipa ? You might need to clear the cache (rm
/var/lib/sss/db/cache_*) if you were playing around with the schema..
More information about the Freeipa-users
mailing list