I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with 
strange behavior.  Some examples include:

- Trust user's home directory sporadically getting set to '/' instead of 
- Trust user losing HBAC privileges (granted via group membership)
- Trust user losing sudo privileges (granted via group membership)
- OS logging that trust user's account has expired when it hasn't

I'm currently unable to predict/reproduce occurrences of these issues.  I can 
say that they aren't tied to a specific user or host.  For example, a user will 
login to a host without any issues and then later that same user's home 
directory (as reported by getent) will suddenly be set to / instead of /home/...

My first step, of course, is to gather logs.  Should I be focusing on the SSSD 
on the client or on the IPA servers?  I'm not entirely clear how/where lots of 
this data get assigned/queried.

My other question is if there is a way to pin down a client to [temporarily] 
use a specific IPA server and specific AD server (even if it means a firewall 
rule that only allows the host to communicate with one IPA and one AD host).



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to