On Wed, May 27, 2015 at 04:27:45PM -0700, nat...@nathanpeters.com wrote:
> > I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when
> > one of my FreeIPA users tries to sudo (he has permissions via group
> > membership) I get the following error in /var/log/messages
> > May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing
> > failed : Invalid argument
> > I have read that this is a known bug
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1154042) and that the
> > suggested fix is to add the following line to the domain section of the
> > sssd.conf :
> > ldap_group_object_class = ipaUserGroup
> > I tried adding that and then restarting the client, but it did not fix the
> > problem. I have also read that this problem may only apply to POSIX
> > groups so I removed my user from all POSIX groups, added him to non posix
> > groups and then created some new sudo rules and hbac rules. I restarted
> > the client again and still had the same issue where I could login but not
> > sudo.
> > Is there a known workaround that actually works?
> > I see this bug is supposed to be fixed in sssd 1.11.8. Is this version of
> > sssd going to be released into any repo for CentOS 6?
> > I just had a look at the CentOS 6 updates repo and sssd is still at
> > 1.11.6-30
> > --
> Well, I found that if I updated to CentOS 6.5 and then put the user in all
> non posix groups and renamed my sudo rules so they were different names
> than my hbac rules I could finally log in and sudo properly with no
> messing with my sssd.conf file.
> Nothing I tried in CentOS 6.3 would work though.
btw in upstream we relaxed the dereference processing a bit and now we
just skip the faulty rules.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project