On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > Hello, > > We are having a problem with HBAC that appears to be related to group > membership lookup. I am testing with a new install on RHEL 7.2 with a > cross-forest trust with AD. When an AD user attempts to log into a client > (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a different > number of groups each time and never seems to contain the full list. > For the testing account, running the 'id' command returns 153 groups. > The ipa group "ad_admin" has setup to be able to log in anywhere, everyone > else is denied. With the default allow_all rule enabled, everything works > as expected. Any ideas on where I can look next?
I assume the group membership is OK on the server, but not the client? Can you enable debugging and also include the full logs from the client after doing sss_cache -E on the client? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
