I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with
strange behavior. Some examples include:
- Trust user's home directory sporadically getting set to '/' instead of
- Trust user losing HBAC privileges (granted via group membership)
- Trust user losing sudo privileges (granted via group membership)
- OS logging that trust user's account has expired when it hasn't
I'm currently unable to predict/reproduce occurrences of these issues. I can
say that they aren't tied to a specific user or host. For example, a user will
login to a host without any issues and then later that same user's home
directory (as reported by getent) will suddenly be set to / instead of /home/...
My first step, of course, is to gather logs. Should I be focusing on the SSSD
on the client or on the IPA servers? I'm not entirely clear how/where lots of
this data get assigned/queried.
My other question is if there is a way to pin down a client to [temporarily]
use a specific IPA server and specific AD server (even if it means a firewall
rule that only allows the host to communicate with one IPA and one AD host).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project