[Freeipa-users] FreeIPA groups not shown on client

[Lukas Slebodnik]

On (22/05/15 09:37), Nikola Kržalić wrote:
>I have a ubuntu system running IPA client. I am able to log in via ssh
>using IPA users, but I do not get any group memberships or sudo rules.
>Same configuration works on a different system (running CentOS).
>
>sssd domain log output shows that the groups are retrieved from server
>successfully:
>
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [admins] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [ipausers] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [editors] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [trust admins] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [devops_team] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [dev_team] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [sys_team] for user [nkrzalic]
>
>However, these groups are not shown on the user upon login:
>
>nkrzalic at ircsrv1:~$ id
>uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic)
>
>I tried cleaning sssd cache but that didn't help.
>
>sssd conf is as follows:
>
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>
>nsswitch.conf seems to be correct as well:
>
># /etc/nsswitch.conf
>
>passwd:         compat sss
>group:          compat sss
>shadow:         compat
>
>hosts:          files dns
>networks:       files
>
>protocols:      db files
>services:       db files
>ethers:         db files
>rpc:            db files
>
>netgroup:       nis sss
>sudoers:        files sss
>
>Interestingly after I do "getent group devops_team" this group shows up:
>
>nkrzalic at ircsrv1:~$ id
>uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>groups=281200051(nkrzalic),281200001(devops_team)

Missing groups on ubuntu (sssd-1.11) can be caused by bug
https://fedorahosted.org/sssd/ticket/2471.
This bug is fixed on CentOS.

Workaround is to amend configuration of domain section.
ldap_group_object_class = ipaUserGroup

If it does not help then please follow instruction from wiki
https://fedorahosted.org/sssd/wiki/Troubleshooting

LS