[Freeipa-users] Compat tree and group membership in a trust environment
Jakub Hrozek
jhrozek at redhat.com
Tue Sep 23 16:03:45 UTC 2014
On Tue, Sep 23, 2014 at 11:05:31AM -0430, Loris Santamaria wrote:
> Querying for group membership in the compat tree within a trust
> environment seems to be rather flaky:
>
> * userA and userB are members of admins at ad. admins at ad is member of
> internet_access at ad
> * internet_access at ad is member of internet_access_external at ad
> * internet_access_external at ad is member of internet_access at ad
> * I restart ipa and clear sssd cache on the master to start with a
> clean compat tree
> * searching for (&(objectClass=posixGroup)(memberUid=userA at ad))
> returns that he is a member of internet_access at ipa (expected
> result)
> * searching for (&(objectClass=posixGroup)(memberUid=userB at ad))
> doesn't return him as a member of internet_access at ipa
> (unexpected)
>
> If I restart ipa and clean sssd cache on the master and query first for
> userB he gets the correct memberships, queries for subsequent users
> (userA, userC) won't show if they are members of ipa groups.
Can you check the logs first for a sign of any sssd problems? Recently
we've troubleshooted another setup with a customer who saw sssd crashes
on the server itself when a group was requested by SID, I wonder if this
might be the same problem.
More information about the Freeipa-users
mailing list