Hi all,

I have set up trust between FreeIPA and AD. Users from AD domain can 
successfully log into the linux boxes when I have allow_all rule enabled. 
However, when I try to achieve something more fancy, like assigning set of 
users to a custom group (firstly external, then the posix one) or make it 
possible for AD users to use ssh public key authentication via Default Trust 
View user settings override, FreeIPA behaves in slightly nondeterministic way. 
It manifests itself in a couple of ways:
- users that I uploaded SSH keys for can't use them right away. Sometimes it is 
a matter of minutes, sometimes it is a matter of hours for the ssh public keys 
to work. I observed that when I add a couple of keys, then whenever one ssh 
public key starts working for one user, it works for all of them.
- the same as above applies to AD users that are added to a group which later 
on is used in HBAC rule definition. When I add a user to this group, he/she 
can't log in straight away but it takes some time to propagate.
- and last but not least: when I delete a user who can successfully log into a 
Linux box from a group which is used in HBAC rule definition, he/she can still 
log in to that box. To make things more awkward, user can access one client 
machine as if they wasn't deleted from the group whereas they can't access 
other client machine and receives "Connection closed by UNKNOWN" response upon 
ssh connection establishment (which is desired in both Linux machines).

I tried to clear sssd cache by issuing sss_cache -E and restarted sssd daemon  
on Linux machine which is affected by that behaviour, but to no avail.

Can someone please point me to what I can do to troubleshoot this further and 
make changes applied to IPA server be visible right away?

Many thanks,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to