[Freeipa-users] Clients are reading AD info inconsistently
Sumit Bose
sbose at redhat.com
Thu Mar 26 08:23:21 UTC 2015
On Wed, Mar 25, 2015 at 08:01:36PM -0400, Dmitri Pal wrote:
> On 03/25/2015 11:44 AM, Simo Sorce wrote:
> >On Wed, 2015-03-25 at 14:46 +0000, Guertin, David S. wrote:
> >>Follow-up: today I tried clearing the sssd cache and restarting sssd on all three clients, and all three lost their AD users:
> >>
> >># rm -f /var/lib/sss/db/*
> >># service sssd restart
> >>Stopping sssd: [ OK ]
> >>Starting sssd: [ OK ]
> >># id 'MIDD\juser'
> >>id: MIDD\juser: No such user
> >>
> >>David Guertin
> >>
> >This is normal, users are "loaded in" when they actually try to Log In.
> >
> >Simo.
> >
> Yes. The ability to look up AD users that never authenticated was added in
> 7.1 and 6.7 (i.e. SSSD 1.12)
I would like to just clarify tis a bit. The support to lookup up
secondary groups (the group list the id command shows) for user which
never authenticated was added in 7.1/6.7.
The plain user lookup as e.g. done with the 'getent passwd username'
always worked.
David, the IPA clients will connect the IPA server to get the user data.
This means if the server cannot resolve the user the clients cannot
either. So the IPA server should be checked first.
You said that you have three IPA servers (master and replicas). Did you
run ipa-adtrust-install on all server? If not, please do. If you are not
sure, running ipa-adtrust-install multiple times does not so any harm.
Since you are using RHEL-6 clients I assume your IPA servers are on
RHEL-6 as well. In this case please try if the command
wbinfo -n 'MIDD\juser'
returns the SID of the user on the IPA server.
HTH
bye,
Sumit
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list