[Freeipa-users] Compat tree and group membership in a trust environment

[Jakub Hrozek]

On Tue, Sep 23, 2014 at 11:05:31AM -0430, Loris Santamaria wrote:
> Querying for group membership in the compat tree within a trust
> environment seems to be rather flaky:
> 
>       * userA and userB are members of admins at ad. admins at ad is member of
>         internet_access at ad
>       * internet_access at ad is member of internet_access_external at ad
>       * internet_access_external at ad is member of internet_access at ad
>       * I restart ipa and clear sssd cache on the master to start with a
>         clean compat tree
>       * searching for (&(objectClass=posixGroup)(memberUid=userA at ad))
>         returns that he is a member of internet_access at ipa (expected
>         result)
>       * searching for (&(objectClass=posixGroup)(memberUid=userB at ad))
>         doesn't return him as a member of internet_access at ipa
>         (unexpected)
> 
> If I restart ipa and clean sssd cache on the master and query first for
> userB he gets the correct memberships, queries for subsequent users
> (userA, userC) won't show if they are members of ipa groups.

Can you check the logs first for a sign of any sssd problems? Recently
we've troubleshooted another setup with a customer who saw sssd crashes
on the server itself when a group was requested by SID, I wonder if this
might be the same problem.