On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> Hi List,
> I am running into some odd issues with IPA and users not inheriting
> all groups they are a member of.
> I spent a lot of time nesting groups so that when we add a user all of
> the groups they need with one group setting (a boon for automation).
> However I am finding a small percentage of users who are in the proper
> groups in IPA but the server does not pick up all the groups involved,
> until I add those specific users to the group in question.
> For clarity:
> 1) Most users inherit groups fine
> 2) A small percentage (2-3% discovered so far) Do not inherit one or
> more of the needed groups.
> 3) Work around found by adding users directly to group instead of
> nested in proper group (though less than ideal)
let's find out if the group memberships propagated correctly on the
server side, first, to isolate where the issues is.
Can you run:
ipa user-show $faulty_user --all --raw
on the server, or directly ldapsearch the user so we can see if the user
entry has all the memberof attributes you'd expect?
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project