[Freeipa-users] FreeIPA groups not shown on client
Lukas Slebodnik
lslebodn at redhat.com
Fri May 22 14:26:12 UTC 2015
On (22/05/15 09:37), Nikola Kržalić wrote:
>I have a ubuntu system running IPA client. I am able to log in via ssh
>using IPA users, but I do not get any group memberships or sudo rules.
>Same configuration works on a different system (running CentOS).
>
>sssd domain log output shows that the groups are retrieved from server
>successfully:
>
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [admins] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [ipausers] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [editors] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [trust admins] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [devops_team] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [dev_team] for user [nkrzalic]
>(Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>(0x1000): Added group [sys_team] for user [nkrzalic]
>
>However, these groups are not shown on the user upon login:
>
>nkrzalic at ircsrv1:~$ id
>uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic)
>
>I tried cleaning sssd cache but that didn't help.
>
>sssd conf is as follows:
>
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>
>nsswitch.conf seems to be correct as well:
>
># /etc/nsswitch.conf
>
>passwd: compat sss
>group: compat sss
>shadow: compat
>
>hosts: files dns
>networks: files
>
>protocols: db files
>services: db files
>ethers: db files
>rpc: db files
>
>netgroup: nis sss
>sudoers: files sss
>
>Interestingly after I do "getent group devops_team" this group shows up:
>
>nkrzalic at ircsrv1:~$ id
>uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>groups=281200051(nkrzalic),281200001(devops_team)
Missing groups on ubuntu (sssd-1.11) can be caused by bug
https://fedorahosted.org/sssd/ticket/2471.
This bug is fixed on CentOS.
Workaround is to amend configuration of domain section.
ldap_group_object_class = ipaUserGroup
If it does not help then please follow instruction from wiki
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
More information about the Freeipa-users
mailing list