On Tue, Sep 23, 2014 at 11:05:31AM -0430, Loris Santamaria wrote: > Querying for group membership in the compat tree within a trust > environment seems to be rather flaky: > > * userA and userB are members of admins@ad. admins@ad is member of > internet_access@ad > * internet_access@ad is member of internet_access_external@ad > * internet_access_external@ad is member of internet_access@ad > * I restart ipa and clear sssd cache on the master to start with a > clean compat tree > * searching for (&(objectClass=posixGroup)(memberUid=userA@ad)) > returns that he is a member of internet_access@ipa (expected > result) > * searching for (&(objectClass=posixGroup)(memberUid=userB@ad)) > doesn't return him as a member of internet_access@ipa > (unexpected) > > If I restart ipa and clean sssd cache on the master and query first for > userB he gets the correct memberships, queries for subsequent users > (userA, userC) won't show if they are members of ipa groups.
Can you check the logs first for a sign of any sssd problems? Recently we've troubleshooted another setup with a customer who saw sssd crashes on the server itself when a group was requested by SID, I wonder if this might be the same problem. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project