Hi,

If PAC is not being used using key, how is group membership determined?

Also: it feels like the Linux client is contacting AD to obtain a Kerberos ticket and not the IPA-server. (for AD users). Is that true?

Winny

Op 15-12-15 om 16:19 schreef Sumit Bose:
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
Hi all,

Even more strange, logging in using SSH public/private keys the problem
disappears and all groups are available!

Strange.....?!
this is expected, because if you use SSH keys no PAC is involved and hence the
PAC responder cannot remove group-memberships which are not listed in the PAC.

RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December 11
RHEL 7.2 with sssd 1.13.0-40 as an IPA client
RHEL 6.7 with sssd 1.12.4-47 as an IPA client
Do I understand correctly that with 1.12.4-47 the groups are always
correct while with 1.13.0-40 the groups are missing when not using SSH
keys?

bye,
Sumit

Winny

Op 15-12-15 om 09:59 schreef Sumit Bose:

    On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:

        Using an EL7 client, lot's of times the IPA (posix) groups are missing,
        or partly missing. Doing some debugging, sssd_pac.log shows:

        (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is not in the PAC anymore, membership must be removed.
        (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is not in the PAC anymore, membership must be removed.

        These sids are the groups I am missing. What is happening here???

    Originally the PAC was the only source for the group-membership data for
    users coming from AD. To be able to be a member of IPA groups the IPA
    KDC added SIDs of IPA groups the AD user is a member of.

    With EL7.1 SSSD is able to read group-membership data on its own if the
    IPA server is running on 7.1 or newer as well. If this is your case it
    looks like there is a disconnect between how the IPA KDC and SSSD
    determine the group memberships for the given user.

    To investigate this issue further it would be nice if you can share some
    details about your environment, especially which SSSD and IPA versions
    are used on the client and the server and how the external group
    membership is defined on the IPA server.

    bye,
    Sumit


        Kind regards,

        Winny


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to