We use FreeIPA/SSSD to authenticate our RStudio Server, which we control via HBAC membership of an AD group.
Our users are having their sessions ended frequently - once a day or more - with the logged message 17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be authenticated because they do not belong to one of the required groups (rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const std::string&, const std::string&, unsigned int, bool) /root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103 Most likely this is partially because RStudio server is overly aggressive, but I am also noticing that their log is telling the truth: id <user>@<domain> is not returning the full membership set of the user - in particular the user group overrides are not being registered. IE, I can see that <user> is in the appropriate AD group, but the IPA group that overrides it isn't being reported. And hence the user is getting booted. So, two questions: 1. Why is the group override not working and how can I get it working or change our set up so that it does work 2. If this is because users's are being timed out of the sss db cache (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a much much longer period? cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
