Jakub, many thanks! >Interesting, can you run ipa user-show --all --raw myuser and check if >all three groups are visible as values of the "memberof" attribute? I >suspect they will.. Yes, all 3 groups are visible
>If they do, can you then put debug_level=7 to the [domain] section of >sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd As far as I see for problematic group3 ........ (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]] [sdap_initgr_nested_search] (2): Search for group cn=group3,cn=groups,cn=accounts, ,dc=example,dc=com, returned 0 results. Skipping ....... So I tried on my IPA client "getent group group2/3" - there is an answer for group2, but not for group3. Interesting... In IPA server "ipa group-show group2/3 " show similar output for both groups, including members. Jakub, if you agree, I'll send you log to your email, I prefer do not post it to the list. On Wed, Jul 31, 2013 at 2:57 PM, Jakub Hrozek <[email protected]> wrote: > On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote: >> >What exact SSSD version is this? >> 1.5.1-58.el5 and 1.5.1-66.el6_2.3 > > The .el5 version looks OK to me, but you should really upgrade from > 6.2.. > >> >> >Was user added to group3 recently so that the cache might have stale >> >records? >> Originally it was "old" group; after that I added some new group - the >> same problem. >> I restarted sssd with removing its cache - didn't help. >> > > Ah, OK, thank you for verifying this. > >> >Do you see the same problem on both RHEL5 and RHEL6 clients? >> yes >> > > Interesting, can you run ipa user-show --all --raw myuser and check if > all three groups are visible as values of the "memberof" attribute? I > suspect they will.. > > If they do, can you then put debug_level=7 to the [domain] section of > sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd > ? > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
