On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote: > Hi all, > > Even more strange, logging in using SSH public/private keys the problem > disappears and all groups are available! > > Strange.....?!
this is expected, because if you use SSH keys no PAC is involved and hence the PAC responder cannot remove group-memberships which are not listed in the PAC. > > RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December 11 > RHEL 7.2 with sssd 1.13.0-40 as an IPA client > RHEL 6.7 with sssd 1.12.4-47 as an IPA client Do I understand correctly that with 1.12.4-47 the groups are always correct while with 1.13.0-40 the groups are missing when not using SSH keys? bye, Sumit > > Winny > > Op 15-12-15 om 09:59 schreef Sumit Bose: > > On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote: > > Using an EL7 client, lot's of times the IPA (posix) groups are > missing, > or partly missing. Doing some debugging, sssd_pac.log shows: > > (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] > (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is > not in the PAC anymore, membership must be removed. > (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] > (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is > not in the PAC anymore, membership must be removed. > > These sids are the groups I am missing. What is happening here??? > > Originally the PAC was the only source for the group-membership data for > users coming from AD. To be able to be a member of IPA groups the IPA > KDC added SIDs of IPA groups the AD user is a member of. > > With EL7.1 SSSD is able to read group-membership data on its own if the > IPA server is running on 7.1 or newer as well. If this is your case it > looks like there is a disconnect between how the IPA KDC and SSSD > determine the group memberships for the given user. > > To investigate this issue further it would be nice if you can share some > details about your environment, especially which SSSD and IPA versions > are used on the client and the server and how the external group > membership is defined on the IPA server. > > bye, > Sumit > > > Kind regards, > > Winny > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project