> On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users 
> wrote:
> 
> 
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
> 
> While on the client during authentication the user data is refreshed
> unconditionally the old data might still be on the cache on the server.
> I would expect that when you call 'sss_cache -E' on the IPA server after
> changing the group memberships the client should see the new groups during
> authentication and access should be granted.
> 
> HTH
> 
> bye,
> Sumit

I have verified that hint. I've stopped sssd daemon, cleared the cache and 
started it back again. Although ipa commands are returning correct members of 
the group, when in issue getent group ... on the server it still returns old 
members of the group that are not present in the group returned by ipa command.
Can you please advise on how I can troubleshoot it further?
Best,
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to