On Tue, Sep 23, 2014 at 11:05:31AM -0430, Loris Santamaria wrote:
> Querying for group membership in the compat tree within a trust
> environment seems to be rather flaky:
> 
>       * userA and userB are members of admins@ad. admins@ad is member of
>         internet_access@ad
>       * internet_access@ad is member of internet_access_external@ad
>       * internet_access_external@ad is member of internet_access@ad
>       * I restart ipa and clear sssd cache on the master to start with a
>         clean compat tree
>       * searching for (&(objectClass=posixGroup)(memberUid=userA@ad))
>         returns that he is a member of internet_access@ipa (expected
>         result)
>       * searching for (&(objectClass=posixGroup)(memberUid=userB@ad))
>         doesn't return him as a member of internet_access@ipa
>         (unexpected)
> 
> If I restart ipa and clean sssd cache on the master and query first for
> userB he gets the correct memberships, queries for subsequent users
> (userA, userC) won't show if they are members of ipa groups.

Can you check the logs first for a sign of any sssd problems? Recently
we've troubleshooted another setup with a customer who saw sssd crashes
on the server itself when a group was requested by SID, I wonder if this
might be the same problem.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to