[Freeipa-users] FreeIPA groups not shown on client

Fri May 22 07:37:04 UTC 2015

I have a ubuntu system running IPA client. I am able to log in via ssh
using IPA users, but I do not get any group memberships or sudo rules.
Same configuration works on a different system (running CentOS).

sssd domain log output shows that the groups are retrieved from server
successfully:

(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [admins] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [ipausers] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [editors] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [trust admins] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [devops_team] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [dev_team] for user [nkrzalic]
(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
(0x1000): Added group [sys_team] for user [nkrzalic]

However, these groups are not shown on the user upon login:

nkrzalic at ircsrv1:~$ id
uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic)

I tried cleaning sssd cache but that didn't help.

sssd conf is as follows:

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

nsswitch.conf seems to be correct as well:

# /etc/nsswitch.conf

passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

Interestingly after I do "getent group devops_team" this group shows up:

nkrzalic at ircsrv1:~$ id
uid=281200051(nkrzalic) gid=281200051(nkrzalic)
groups=281200051(nkrzalic),281200001(devops_team)
nkrzalic at ircsrv1:~$

Any ideas?

-- 

Regards,

Nikola Kržalić.