Which versions of SSSD and FreeIPA are you using?


"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."

 - Patrisse Cullors, *Black Lives Matter founder*

On 6 July 2017 at 00:22, bogusmaster--- via FreeIPA-users <> wrote:

> Hi all,
> I have set up trust between FreeIPA and AD. Users from AD domain can
> successfully log into the linux boxes when I have allow_all rule enabled.
> However, when I try to achieve something more fancy, like assigning set of
> users to a custom group (firstly external, then the posix one) or make it
> possible for AD users to use ssh public key authentication via Default
> Trust View user settings override, FreeIPA behaves in slightly
> nondeterministic way. It manifests itself in a couple of ways:
> - users that I uploaded SSH keys for can't use them right away. Sometimes
> it is a matter of minutes, sometimes it is a matter of hours for the ssh
> public keys to work. I observed that when I add a couple of keys, then
> whenever one ssh public key starts working for one user, it works for all
> of them.
> - the same as above applies to AD users that are added to a group which
> later on is used in HBAC rule definition. When I add a user to this group,
> he/she can't log in straight away but it takes some time to propagate.
> - and last but not least: when I delete a user who can successfully log
> into a Linux box from a group which is used in HBAC rule definition, he/she
> can still log in to that box. To make things more awkward, user can access
> one client machine as if they wasn't deleted from the group whereas they
> can't access other client machine and receives "Connection closed by
> UNKNOWN" response upon ssh connection establishment (which is desired in
> both Linux machines).
> I tried to clear sssd cache by issuing sss_cache -E and restarted sssd
> daemon  on Linux machine which is affected by that behaviour, but to no
> avail.
> Can someone please point me to what I can do to troubleshoot this further
> and make changes applied to IPA server be visible right away?
> Many thanks,
> Bart
> _______________________________________________
> FreeIPA-users mailing list --
> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to