[Freeipa-users] Trying To Debug AD Trust Quirks

[Jakub Hrozek]

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote:
> Hello,
> 
> I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with strange behavior.  Some examples include:
> 
> - Trust user's home directory sporadically getting set to '/' instead of /home/domain/user
> - Trust user losing HBAC privileges (granted via group membership)
> - Trust user losing sudo privileges (granted via group membership)
> - OS logging that trust user's account has expired when it hasn't
> 
> I'm currently unable to predict/reproduce occurrences of these issues.  I can say that they aren't tied to a specific user or host.  For example, a user will login to a host without any issues and then later that same user's home directory (as reported by getent) will suddenly be set to / instead of /home/...
> 
> My first step, of course, is to gather logs.  Should I be focusing on the SSSD on the client or on the IPA servers?  I'm not entirely clear how/where lots of this data get assigned/queried.
> 
> My other question is if there is a way to pin down a client to [temporarily] use a specific IPA server and specific AD server (even if it means a firewall rule that only allows the host to communicate with one IPA and one AD host).

Normally time-correlated logs from both the server's domain and nss sections
of sssd.conf and the client's domain section are a good start.