[Freeipa-users] Clients are reading AD info inconsistently

Sumit Bose sbose at redhat.com
Thu Mar 26 16:40:19 UTC 2015 

On Thu, Mar 26, 2015 at 03:24:06PM +0000, Guertin, David S. wrote:
> >I would like to just clarify tis a bit. The support to lookup up secondary groups
> >(the group list the id command shows) for user which never authenticated
> >was added in 7.1/6.7.
> 
> Thanks. This makes sense, and indeed with Client 1 I can indeed log in, and "id 'MIDD\juser'" shows all the groups again.
> 
> However, logins to Client 2 (also running RHEL 6.6 and sssd 1.11.6) still fail, and "id 'MIDD\juser'" on that client shows only local IPA groups, not AD groups.

As long as the user has not logged in it is expected that the id command
doe not show the full list of groups. To see why the login fails it
would be good to know how you try to log in (I assume ssh) and which
authentication method is used (password, ssh key, Kerberos ticket).
Additionally the SSSD log files might be needed, most important here are
the logs from the PAM and PAC responders and the domain log.

> 
> And logins to Client 3 also fail, and "id 'MIDD\juser'" there shows "No such user". (This is the RHEL 5 box with sssd 1.5.1.) So we're back to my original problem of three clients all behaving differently.

For RHEL5 you need a special configuration for SSSD, call 'ipa-advise
config-redhat-sssd-before-1-9' for more details.

HTH

bye,
Sumit

> 
> >David, the IPA clients will connect the IPA server to get the user data.
> >This means if the server cannot resolve the user the clients cannot either. So
> >the IPA server should be checked first.
> 
> All three servers can resolve the user. The user can log in to all the servers and "id 'MIDD\juser'" shows the correct AD groups.
> 
> >You said that you have three IPA servers (master and replicas). Did you run
> >ipa-adtrust-install on all server? If not, please do. If you are not sure, running
> >ipa-adtrust-install multiple times does not so any harm.
> 
> Yes, the trust relationship is set up correctly on all three servers, and "ipa trust-find --all" gives identical results on all three servers, correctly showing the trust relationship with our AD domain.
> 
> > Since you are using RHEL-6 clients I assume your IPA servers are on
> >RHEL-6 as well. 
> 
> No, the servers are all running RHEL 7.1, so we're not using winbind at all -- just sssd.
> 
> The clients are a mix of RHEL 6 and RHEL 5 machines.
> 
> David Guertin

More information about the Freeipa-users mailing list