On Wed, 22 Apr 2015, Alexander Frolushkin wrote:
Hello.
Not sure it happened after update, but now we are on 4.1 and on some
servers we have only AD groups if it is primary for user, and have no
IPA groups with AD external group in members.  Fro example, on the IPA
server we have
# id afrolush...@ad.com
uid=236658172(afrolush...@ad.com) gid=236658172(afrolush...@ad.com)
groups=236658172(afrolush...@ad.com),236658193(sib-dwh-sa-adm...@ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-adm...@ad.com)<mailto:afrolush...@ad.com),236658193(sib-dwh-sa-adm...@ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-adm...@ad.com)>
here group
236658193(sib-dwh-sa-adm...@ad.com<mailto:sib-dwh-sa-adm...@ad.com>)
have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary
for user.  Group, primary for this user -
236667642(rhidm-sa-adm...@ad.com<mailto:rhidm-sa-adm...@ad.com>) also
have IPA group, but it is not displayed in id command.
On some other servers (IPA clients) it displays ONLY AD groups:
# id afrolush...@megafon.ru
uid=236658172(afrolush...@ad.com) gid=236658172(afrolush...@ad.com)
groups=236658172(afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)<mailto:afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)>

This is a big problem for us, because on that servers we cannot use
HBAC & sudo, also we don't think primary AD group is a exception and
cannot be used in IPA authorization.
If it is a big problem, make sure you are gathering all the logs and
deployment information first to pin point what exactly you are running.

See https://fedorahosted.org/sssd/wiki/Troubleshooting for general SSSD
troubleshooting.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to