If PAC is not being used using key, how is group membership determined?
Also: it feels like the Linux client is contacting AD to obtain a Kerberos ticket and not the IPA-server. (for AD users). Is that true?
Op 15-12-15 om 16:19 schreef Sumit Bose:
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:Hi all,Even more strange, logging in using SSH public/private keys the problem disappears and all groups are available! Strange.....?!this is expected, because if you use SSH keys no PAC is involved and hence the PAC responder cannot remove group-memberships which are not listed in the PAC.RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December 11 RHEL 7.2 with sssd 1.13.0-40 as an IPA client RHEL 6.7 with sssd 1.12.4-47 as an IPA clientDo I understand correctly that with 1.12.4-47 the groups are always correct while with 1.13.0-40 the groups are missing when not using SSH keys? bye, SumitWinny Op 15-12-15 om 09:59 schreef Sumit Bose: On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote: Using an EL7 client, lot's of times the IPA (posix) groups are missing, or partly missing. Doing some debugging, sssd_pac.log shows: (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51509] is not in the PAC anymore, membership must be removed. (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID [S-1-5-21-1802245919-2979536009-1783284443-51508] is not in the PAC anymore, membership must be removed. These sids are the groups I am missing. What is happening here??? Originally the PAC was the only source for the group-membership data for users coming from AD. To be able to be a member of IPA groups the IPA KDC added SIDs of IPA groups the AD user is a member of. With EL7.1 SSSD is able to read group-membership data on its own if the IPA server is running on 7.1 or newer as well. If this is your case it looks like there is a disconnect between how the IPA KDC and SSSD determine the group memberships for the given user. To investigate this issue further it would be nice if you can share some details about your environment, especially which SSSD and IPA versions are used on the client and the server and how the external group membership is defined on the IPA server. bye, Sumit Kind regards, Winny
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project