Re: [Freeipa-users] IPA clients doesn't see all user's group
On Wed, Jul 31, 2013 at 02:04:27PM +0300, Vitaly wrote: I have IPA2 on RHEL6 server and RHEL/CENTOS 5/6 clients. For some users Linux doesn't see all groups. For example: #ipa user-show myuser ... Member of groups: group1,group2,group3 #id myuser uid=1815600038(myuser) gid=1002(group1) groups=1002(group1),1000(group2) How I can debug and fix this? TIA, Vitaly What exact SSSD version is this? Was user added to group3 recently so that the cache might have stale records? Do you see the same problem on both RHEL5 and RHEL6 clients? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clients doesn't see all user's group
What exact SSSD version is this? 1.5.1-58.el5 and 1.5.1-66.el6_2.3 Was user added to group3 recently so that the cache might have stale records? Originally it was old group; after that I added some new group - the same problem. I restarted sssd with removing its cache - didn't help. Do you see the same problem on both RHEL5 and RHEL6 clients? yes On Wed, Jul 31, 2013 at 2:15 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 31, 2013 at 02:04:27PM +0300, Vitaly wrote: I have IPA2 on RHEL6 server and RHEL/CENTOS 5/6 clients. For some users Linux doesn't see all groups. For example: #ipa user-show myuser ... Member of groups: group1,group2,group3 #id myuser uid=1815600038(myuser) gid=1002(group1) groups=1002(group1),1000(group2) How I can debug and fix this? TIA, Vitaly What exact SSSD version is this? Was user added to group3 recently so that the cache might have stale records? Do you see the same problem on both RHEL5 and RHEL6 clients? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clients doesn't see all user's group
Jakub, many thanks! Interesting, can you run ipa user-show --all --raw myuser and check if all three groups are visible as values of the memberof attribute? I suspect they will.. Yes, all 3 groups are visible If they do, can you then put debug_level=7 to the [domain] section of sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd As far as I see for problematic group3 (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]] [sdap_initgr_nested_search] (2): Search for group cn=group3,cn=groups,cn=accounts, ,dc=example,dc=com, returned 0 results. Skipping ... So I tried on my IPA client getent group group2/3 - there is an answer for group2, but not for group3. Interesting... In IPA server ipa group-show group2/3 show similar output for both groups, including members. Jakub, if you agree, I'll send you log to your email, I prefer do not post it to the list. On Wed, Jul 31, 2013 at 2:57 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote: What exact SSSD version is this? 1.5.1-58.el5 and 1.5.1-66.el6_2.3 The .el5 version looks OK to me, but you should really upgrade from 6.2.. Was user added to group3 recently so that the cache might have stale records? Originally it was old group; after that I added some new group - the same problem. I restarted sssd with removing its cache - didn't help. Ah, OK, thank you for verifying this. Do you see the same problem on both RHEL5 and RHEL6 clients? yes Interesting, can you run ipa user-show --all --raw myuser and check if all three groups are visible as values of the memberof attribute? I suspect they will.. If they do, can you then put debug_level=7 to the [domain] section of sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd ? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clients doesn't see all user's group
On Wed, Jul 31, 2013 at 03:27:41PM +0300, Vitaly wrote: Jakub, many thanks! Interesting, can you run ipa user-show --all --raw myuser and check if all three groups are visible as values of the memberof attribute? I suspect they will.. Yes, all 3 groups are visible If they do, can you then put debug_level=7 to the [domain] section of sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd As far as I see for problematic group3 (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]] [sdap_initgr_nested_search] (2): Search for group cn=group3,cn=groups,cn=accounts, ,dc=example,dc=com, returned 0 results. Skipping ... So I tried on my IPA client getent group group2/3 - there is an answer for group2, but not for group3. Interesting... In IPA server ipa group-show group2/3 show similar output for both groups, including members. Does the group have posix GID? Jakub, if you agree, I'll send you log to your email, I prefer do not post it to the list. Sure, that's fine. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clients doesn't see all user's group
Jakub, many thanks and I'm really sorry for so stupid questions! yes, you're right, group3 didn't have posix GID :-) Vitaly On Wed, Jul 31, 2013 at 3:40 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jul 31, 2013 at 03:27:41PM +0300, Vitaly wrote: Jakub, many thanks! Interesting, can you run ipa user-show --all --raw myuser and check if all three groups are visible as values of the memberof attribute? I suspect they will.. Yes, all 3 groups are visible If they do, can you then put debug_level=7 to the [domain] section of sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd As far as I see for problematic group3 (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]] [sdap_initgr_nested_search] (2): Search for group cn=group3,cn=groups,cn=accounts, ,dc=example,dc=com, returned 0 results. Skipping ... So I tried on my IPA client getent group group2/3 - there is an answer for group2, but not for group3. Interesting... In IPA server ipa group-show group2/3 show similar output for both groups, including members. Does the group have posix GID? Jakub, if you agree, I'll send you log to your email, I prefer do not post it to the list. Sure, that's fine. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clients doesn't see all user's group
On Wed, Jul 31, 2013 at 03:55:06PM +0300, Vitaly wrote: Jakub, many thanks and I'm really sorry for so stupid questions! yes, you're right, group3 didn't have posix GID :-) Vitaly No problem, I'm glad the issue got sorted out :-) I think that recent versions of the SSSD print a more user-friendly debug message into the logs.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
