[Freeipa-users] HBAC access denied, all AD groups not detected
Lachlan Musicman
datakid at gmail.com
Tue May 17 05:08:37 UTC 2016
FWIW,
We are seeing the issues that are described here:
https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
I was about to write when I found this, it explains exactly what I am
seeing - right down to the "impossible to reproduce because it's so
(seemingly) random".
I am about to read up on the SSSD trouble shooting in order to up the logs
&etc, but here is some output I can share - note that this all happened in
~5 minutes. As you can see, clearing the cache has various unpredictable
effects. Both users should return the same list of groups. This was
performed on a FreeIPA client.
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
[root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
[root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
[root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
[root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10011(facs-compute at unix.petermac.org.au)
10004(bioinf-core at unix.petermac.org.au)
10005(rcf-staff at unix.petermac.org.au)
[root at emts-facs ~]# systemctl stop sssd
[root at emts-facs ~]# rm -rf /var/lib/sss/db/*
[root at emts-facs ~]# systemctl start sssd
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
[root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
[root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
[root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 users at petermac.org.au)
10007(cluster-user at unix.petermac.org.au)
Cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160517/87553436/attachment.htm>
More information about the Freeipa-users
mailing list