[Freeipa-users] issues with secondary groups? (sssd)
Janelle
janellenicole80 at gmail.com
Mon Mar 2 12:09:34 UTC 2015
That was the point. The clients were not installed with IPA client install.
I have 2000 clients and still working on a simple way to automate the client install with ansible or puppet. Currently just trying to get it working with simple sssd/ldap only auth.
~J
> On Mar 2, 2015, at 01:12, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Sat, Feb 28, 2015 at 11:07:20AM -0800, Janelle wrote:
>> Hello,
>>
>> I was wondering - I have searched around and seen a few questions and
>> solutions, but nothing I try is fixing my environment.
>>
>> Things have been working quite well with IPA 4.0.5, simple things with auth
>> and logins - some with full ipa-client-install configured, others just using
>> LDAP and that is where the strangeness comes from.
>>
>> with full IPA client integration, secondary groups work just find, as do
>> base commands like "id" and "getent". However, the "ldap" users, never show
>> the secondary group for their uid?
>>
>> Any pointers you might suggest? I have tried the sssd.conf of
>> "ldap_group_member = uniqeMember" - no change.
>>
>> a simple secondary group is defined:
>>
>> dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
>> cn: web_users
>> objectClass: ipaobject
>> objectClass: extensibleobject
>> objectClass: top
>> objectClass: ipausergroup
>> objectClass: posixgroup
>> objectClass: groupofnames
>> objectClass: nestedgroup
>> memberUid: user1
>> memberUid: user2
>> memberUid: user3
>> memberUid: user4
>> memberUid: user5
>> member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
>> member: uid=user5,cn=users,cn=accounts,dc=example,dc=com
>>
>> and yet with debug_level = 7 -- sssd still says:
>> [sdap_process_ghost_members] (0x0400): Group has 0 members
>
> Was the client installed with ipa-client-install? There I would suggest
> to just use the defaults and everything should work.
>
> Can you try again, this time with default configuration of
> id_provider=ipa ? You might need to clear the cache (rm
> /var/lib/sss/db/cache_*) if you were playing around with the schema..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list