<div dir="ltr">I'm still hoping someone can offer additional help. I see in the apt term.log these errors when downloading the freeipa-client package. Could this be the problem? Creating SSSD system user & group... adduser: Warning: The home directory `/var/lib/sss' does not belong to the user you are currently creating. Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning failed to create cache: usr.sbin.sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. sssd.service couldn't start. Setting up sssd-ad-common (1.13.4-1ubuntu1) ... Setting up sssd-krb5-common (1.13.4-1ubuntu1) ... Setting up sssd-ad (1.13.4-1ubuntu1) ... Setting up sssd-ipa (1.13.4-1ubuntu1) ... Setting up sssd-krb5 (1.13.4-1ubuntu1) ... Setting up sssd-ldap (1.13.4-1ubuntu1) ... Setting up sssd-proxy (1.13.4-1ubuntu1) ... Setting up sssd (1.13.4-1ubuntu1) ... Setting up freeipa-client (4.3.1-0ubuntu1) ... Processing triggers for libc-bin (2.23-0ubuntu3) ... Processing triggers for systemd (229-4ubuntu7) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for dbus (1.10.6-1ubuntu3) ... Log ended: 2016-08-25 13:49:53 <div class="gmail_extra"> <div class="gmail_quote">On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Pavel, can you help us with this thread? > On 12 Aug 2016, at 21:57, Jeff Goddard <<a href="mailto:jgoddard@emerlyn.com">jgoddard@emerlyn.com</a>> wrote: > > > > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson <<a href="mailto:jstephen@redhat.com">jstephen@redhat.com</a>> wrote: > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no understanding of hostgroups. > > You should be able to query this on a client with > # getent netgroup office > > This should return nisNetgroupTriple for each host in the hostgroup > (<a href="http://ipa-client-1.example.com" rel="noreferrer" target="_blank">ipa-client-1.example.com</a>,-,<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>) (<a href="http://ipa-client-2.example.com" rel="noreferrer" target="_blank">ipa-client-2.example.com</a>,-,<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>) > > I would check this in your environment between working and non-working systems. > I believe in later versions of sssd they added IPA sudo schema support to eliminate the need for the compat tree so this could be related to the issue if newer ubuntu clients are not working but CentOS is working. > > What version of sssd are you running? > Kind regards, > > Justin Stephenson > On 08/12/2016 02:35 PM, Jeff Goddard wrote: >> I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result. >> >> Thanks, >> >> Jeff > The query returns the expect results: > > getent netgroup office > office (<a href="http://docker-dev-01.internal.emerlyn.com" rel="noreferrer" target="_blank">docker-dev-01.internal.emerlyn.com</a>,-,<a href="http://internal.emerlyn.com" rel="noreferrer" target="_blank">internal.emerlyn.com</a>) (<a href="http://docker-dev-02.internal.emerlyn.com" rel="noreferrer" target="_blank">docker-dev-02.internal.emerlyn.com</a>,-,<a href="http://internal.emerlyn.com" rel="noreferrer" target="_blank">internal.emerlyn.com</a>) (<a href="http://docker-dev-03.internal.emerlyn.com" rel="noreferrer" target="_blank">docker-dev-03.internal.emerlyn.com</a>,-,<a href="http://internal.emerlyn.com" rel="noreferrer" target="_blank">internal.emerlyn.com</a>) [more hosts] > > sssd version is 1.13.4 > > Jeff > > > </blockquote></div> </div><div class="gmail_extra">Jeff </div></div>