On Mon, Jun 17, 2013 at 10:16:19AM -0400, Aly Khimji wrote: > Hey guys, > So I am getting ready to hopefully roll this out for a demo in our non-prod > environment prior to going prod is all works. The purpose of this setup is > to allow for elevated access via AD grouping through a trust. Please see > below because I get different results on different machines, all on the > same network. > > Can you please advise what you would need from me to help diagnose this > issue?
To avoid excessive searches on the AD side the group memberships of a user are only evaluated with the help of the MS-PAC in the Kerberos ticket when the user logs into a host (Windows clients do basically the same). As a result only on hosts where the user already logged in once id shows all groups the user is member of. > > Thank you so much, > > Aly > > > IDM-server: > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd.xxxx.com) gid=59401108( > akhi...@corpnonprd.xxxx.com) groups=59401108(akhi...@corpnonprd.xxxx.com) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -sh-4.1$ hostname > didmsvrua01.nix.corpnonprd.xxxx.com I think processing the PAC failed on this host. The logs of the PAC responder can be found in /var/log/sssd/sssd_pac.log. How did you log in to the system, ssh, gdm, console? > > CLIENT 1: > after login: > *id: cannot find name for group ID 59401108* > -sh-4.1$ hostname > rhidmclient.nix.corpnonprd.xxxx.com > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd.xxxx.com) gid=59401108 > groups=59401108,59400512,59400513,59401123,162200012(mirra-supapp-admin-nix-cde) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 On this host processing of the PAC was successful, i.e all group memberships are known, but some group names could not be resolved. Here /var/log/sssd/sssd_ipa.domain.log has the needed debug output. bye, Sumit > > CLIENT 2:(this is the only correct output) > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd.xxxx.com) gid=59401108( > akhi...@corpnonprd.xxxx.com) > groups=59401108(akhi...@corpnonprd.xxxx.com),59400512(domain > adm...@corpnonprd.xxxx.com),59400513(domain us...@corpnonprd.xxxx.com > ),59401123(mirra-supapp-admin-corp-...@corpnonprd.xxxx.com),162200012(mirra-supapp-admin-nix-cde) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -sh-4.1$ hostname > utkpciu11 > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users