[Freeipa-users] Clients are reading AD info inconsistently

[Guertin, David S.]

>I would like to just clarify tis a bit. The support to lookup up secondary groups
>(the group list the id command shows) for user which never authenticated
>was added in 7.1/6.7.

Thanks. This makes sense, and indeed with Client 1 I can indeed log in, and "id 'MIDD\juser'" shows all the groups again.

However, logins to Client 2 (also running RHEL 6.6 and sssd 1.11.6) still fail, and "id 'MIDD\juser'" on that client shows only local IPA groups, not AD groups.

And logins to Client 3 also fail, and "id 'MIDD\juser'" there shows "No such user". (This is the RHEL 5 box with sssd 1.5.1.) So we're back to my original problem of three clients all behaving differently.

>David, the IPA clients will connect the IPA server to get the user data.
>This means if the server cannot resolve the user the clients cannot either. So
>the IPA server should be checked first.

All three servers can resolve the user. The user can log in to all the servers and "id 'MIDD\juser'" shows the correct AD groups.

>You said that you have three IPA servers (master and replicas). Did you run
>ipa-adtrust-install on all server? If not, please do. If you are not sure, running
>ipa-adtrust-install multiple times does not so any harm.

Yes, the trust relationship is set up correctly on all three servers, and "ipa trust-find --all" gives identical results on all three servers, correctly showing the trust relationship with our AD domain.

> Since you are using RHEL-6 clients I assume your IPA servers are on
>RHEL-6 as well. 

No, the servers are all running RHEL 7.1, so we're not using winbind at all -- just sssd.

The clients are a mix of RHEL 6 and RHEL 5 machines.

David Guertin