On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > > [rnst ipa-client-rh7 ~]$ groups > > > rnst > > > > > > Is this expected behaviour? Is there a possible client configuration that > > > will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > I tried the same configuration on FC24, which has sssd-1.14.1-3, but it > didn’t work for the student domain either: > > $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au > -sh-4.3$ groups > rnst > > Is the version shipping with RHEL7.3 likely to be different?
No, it's pretty much the same. Can you take a look at the logs and create a dump of the ldb cache, please? See: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project