Bart, Which versions of SSSD and FreeIPA are you using?
cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrisse Cullors, *Black Lives Matter founder* On 6 July 2017 at 00:22, bogusmaster--- via FreeIPA-users < firstname.lastname@example.org> wrote: > Hi all, > > I have set up trust between FreeIPA and AD. Users from AD domain can > successfully log into the linux boxes when I have allow_all rule enabled. > However, when I try to achieve something more fancy, like assigning set of > users to a custom group (firstly external, then the posix one) or make it > possible for AD users to use ssh public key authentication via Default > Trust View user settings override, FreeIPA behaves in slightly > nondeterministic way. It manifests itself in a couple of ways: > - users that I uploaded SSH keys for can't use them right away. Sometimes > it is a matter of minutes, sometimes it is a matter of hours for the ssh > public keys to work. I observed that when I add a couple of keys, then > whenever one ssh public key starts working for one user, it works for all > of them. > - the same as above applies to AD users that are added to a group which > later on is used in HBAC rule definition. When I add a user to this group, > he/she can't log in straight away but it takes some time to propagate. > - and last but not least: when I delete a user who can successfully log > into a Linux box from a group which is used in HBAC rule definition, he/she > can still log in to that box. To make things more awkward, user can access > one client machine as if they wasn't deleted from the group whereas they > can't access other client machine and receives "Connection closed by > UNKNOWN" response upon ssh connection establishment (which is desired in > both Linux machines). > > I tried to clear sssd cache by issuing sss_cache -E and restarted sssd > daemon on Linux machine which is affected by that behaviour, but to no > avail. > > Can someone please point me to what I can do to troubleshoot this further > and make changes applied to IPA server be visible right away? > > Many thanks, > Bart > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org