On Wed, Jul 12, 2017 at 02:48:47PM -0000, bogusmaster--- via FreeIPA-users wrote: > > On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users > > wrote: > > > > > > The ipa-client gets all its data from the IPA server and for efficiency > > the lookup on the server goes via the SSSD cache on the server. > > > > While on the client during authentication the user data is refreshed > > unconditionally the old data might still be on the cache on the server. > > I would expect that when you call 'sss_cache -E' on the IPA server after > > changing the group memberships the client should see the new groups during > > authentication and access should be granted. > > > > HTH > > > > bye, > > Sumit > > I have verified that hint. I've stopped sssd daemon, cleared the cache and > started it back again. Although ipa commands are returning correct members of > the group, when in issue getent group ... on the server it still returns old > members of the group that are not present in the group returned by ipa > command. > Can you please advise on how I can troubleshoot it further?
This sounds that SSSD cannot connect to the IPA server and returns old data from the cache. Can you check if sssctl domain-status your.ipa.domain returns 'Offline' or check the sss_your.ipa.domain.log file for any messages related to connection failures and going offline? You might need to increase the debug_level for the latter. bye, Sumit > Best, > Bart > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org