On Wed, Jul 12, 2017 at 02:48:47PM -0000, bogusmaster--- via FreeIPA-users 
wrote:
> > On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users 
> > wrote:
> > 
> > 
> > The ipa-client gets all its data from the IPA server and for efficiency
> > the lookup on the server goes via the SSSD cache on the server.
> > 
> > While on the client during authentication the user data is refreshed
> > unconditionally the old data might still be on the cache on the server.
> > I would expect that when you call 'sss_cache -E' on the IPA server after
> > changing the group memberships the client should see the new groups during
> > authentication and access should be granted.
> > 
> > HTH
> > 
> > bye,
> > Sumit
> 
> I have verified that hint. I've stopped sssd daemon, cleared the cache and 
> started it back again. Although ipa commands are returning correct members of 
> the group, when in issue getent group ... on the server it still returns old 
> members of the group that are not present in the group returned by ipa 
> command.
> Can you please advise on how I can troubleshoot it further?

This sounds that SSSD cannot connect to the IPA server and returns old
data from the cache. 

Can you check if

    sssctl domain-status your.ipa.domain

returns 'Offline' or check the sss_your.ipa.domain.log file for any
messages related to connection failures and going offline? You might
need to increase the debug_level for the latter.

bye,
Sumit
> Best,
> Bart
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to