[Freeipa-users] FreeIPA groups not shown on client
Jakub Hrozek
jhrozek at redhat.com
Fri May 22 13:11:13 UTC 2015
On Fri, May 22, 2015 at 09:37:04AM +0200, Nikola Kržalić wrote:
> I have a ubuntu system running IPA client. I am able to log in via ssh
> using IPA users, but I do not get any group memberships or sudo rules.
> Same configuration works on a different system (running CentOS).
>
> sssd domain log output shows that the groups are retrieved from server
> successfully:
>
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [admins] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [ipausers] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [editors] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [trust admins] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [devops_team] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [dev_team] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [sys_team] for user [nkrzalic]
Is anything else in the logs?
What server version are you running? I guess you might be hitting the
derefernce bug that appeared after IPA tightened its ACIs;
https://fedorahosted.org/sssd/ticket/2421
More information about the Freeipa-users
mailing list