On Wed, Jul 12, 2017 at 02:48:47PM -0000, bogusmaster--- via FreeIPA-users
> > On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users
> > wrote:
> > The ipa-client gets all its data from the IPA server and for efficiency
> > the lookup on the server goes via the SSSD cache on the server.
> > While on the client during authentication the user data is refreshed
> > unconditionally the old data might still be on the cache on the server.
> > I would expect that when you call 'sss_cache -E' on the IPA server after
> > changing the group memberships the client should see the new groups during
> > authentication and access should be granted.
> > HTH
> > bye,
> > Sumit
> I have verified that hint. I've stopped sssd daemon, cleared the cache and
> started it back again. Although ipa commands are returning correct members of
> the group, when in issue getent group ... on the server it still returns old
> members of the group that are not present in the group returned by ipa
> Can you please advise on how I can troubleshoot it further?
This sounds that SSSD cannot connect to the IPA server and returns old
data from the cache.
Can you check if
sssctl domain-status your.ipa.domain
returns 'Offline' or check the sss_your.ipa.domain.log file for any
messages related to connection failures and going offline? You might
need to increase the debug_level for the latter.
> FreeIPA-users mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org