[Freeipa-users] Antwort: FreeIPA groups not shown on client
Lukas Slebodnik
lslebodn at redhat.com
Fri May 22 16:53:33 UTC 2015
On (22/05/15 18:28), Christoph Kaminski wrote:
>freeipa-users-bounces at redhat.com schrieb am 22.05.2015 09:37:04:
>
>> Von: Nikola Kržalić <nikola at krzalic.com>
>> An: freeipa-users at redhat.com
>> Datum: 22.05.2015 15:05
>> Betreff: [Freeipa-users] FreeIPA groups not shown on client
>> Gesendet von: freeipa-users-bounces at redhat.com
>>
>> I have a ubuntu system running IPA client. I am able to log in via ssh
>> using IPA users, but I do not get any group memberships or sudo rules.
>> Same configuration works on a different system (running CentOS).
>>
>> sssd domain log output shows that the groups are retrieved from server
>> successfully:
>>
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [ipausers] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [editors] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [trust admins] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [devops_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [dev_team] for user [nkrzalic]
>> (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element]
>> (0x1000): Added group [sys_team] for user [nkrzalic]
>>
>> However, these groups are not shown on the user upon login:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>groups=281200051(nkrzalic)
>>
>> I tried cleaning sssd cache but that didn't help.
>>
>> sssd conf is as follows:
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> nsswitch.conf seems to be correct as well:
>>
>> # /etc/nsswitch.conf
>>
>> passwd: compat sss
>> group: compat sss
>> shadow: compat
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis sss
>> sudoers: files sss
>>
>> Interestingly after I do "getent group devops_team" this group shows up:
>>
>> nkrzalic at ircsrv1:~$ id
>> uid=281200051(nkrzalic) gid=281200051(nkrzalic)
>> groups=281200051(nkrzalic),281200001(devops_team)
>> nkrzalic at ircsrv1:~$
>>
>>
>> Any ideas?
>>
>>
>
>try to kill the cache with:
>(stop sssd) rm -rf /var/lib/sss/db/* (start sssd)
>
>we has had the same problems often here and only really kill the cache has
>fixed it (sss_cache -A hasnt help)
>
I'm sorry it is not a solution.
If you still have a problem and you are able to reproduce it
then please file a bug with log files.
LS
More information about the Freeipa-users
mailing list