[Freeipa-users] Antwort: FreeIPA groups not shown on client

[Christoph Kaminski]

freeipa-users-bounces at redhat.com schrieb am 22.05.2015 09:37:04:

> Von: Nikola Kržalić <nikola at krzalic.com>
> An: freeipa-users at redhat.com
> Datum: 22.05.2015 15:05
> Betreff: [Freeipa-users] FreeIPA groups not shown on client
> Gesendet von: freeipa-users-bounces at redhat.com
> 
> I have a ubuntu system running IPA client. I am able to log in via ssh
> using IPA users, but I do not get any group memberships or sudo rules.
> Same configuration works on a different system (running CentOS).
> 
> sssd domain log output shows that the groups are retrieved from server
> successfully:
> 
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [admins] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [ipausers] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [editors] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [trust admins] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [devops_team] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [dev_team] for user [nkrzalic]
> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
> (0x1000): Added group [sys_team] for user [nkrzalic]
> 
> However, these groups are not shown on the user upon login:
> 
> nkrzalic at ircsrv1:~$ id
> uid=281200051(nkrzalic) gid=281200051(nkrzalic) 
groups=281200051(nkrzalic)
> 
> I tried cleaning sssd cache but that didn't help.
> 
> sssd conf is as follows:
> 
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> 
> nsswitch.conf seems to be correct as well:
> 
> # /etc/nsswitch.conf
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis sss
> sudoers:        files sss
> 
> Interestingly after I do "getent group devops_team" this group shows up:
> 
> nkrzalic at ircsrv1:~$ id
> uid=281200051(nkrzalic) gid=281200051(nkrzalic)
> groups=281200051(nkrzalic),281200001(devops_team)
> nkrzalic at ircsrv1:~$
> 
> 
> Any ideas?
> 
> 

try to kill the cache with:
(stop sssd) rm -rf /var/lib/sss/db/* (start sssd)

we has had the same problems often here and only really kill the cache has 
fixed it (sss_cache -A hasnt help)

Greetz
Christoph Kaminski


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150522/194400de/attachment.htm>