Hi, we are curretly workig on a larger IPA test project and I have a problems which have been buggin me for some time now:
On the client we are have set "full_name_format = %1$s" to have users presented without the AD domain part. However, this seems to make SSSD not lookup a users group membership? sssd.conf from server: [domain/linux.dr.dk] cache_credentials = True # krb5_store_password_if_offline = True ipa_domain = linux.dr.dk id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa01tst.linux.dr.dk chpass_provider = ipa ipa_server = ipa01tst.linux.dr.dk ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt # Bugfix untill RHEL 7.3 arrives # http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html ldap_user_principal = nosuchattr ignore_group_members = True ldap_purge_cache_timeout = 0 subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout debug_level=3 # Added to list users faster eg id [email protected] ldap_use_tokengroups = True ldap_id_mapping = True [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linux.dr.dk default_domain_suffix = NET.DR.DK [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] sssd.conf from client: [domain/linux.dr.dk] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.dr.dk id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rhel01udv.linux.dr.dk chpass_provider = ipa ipa_server = ipa01tst.linux.dr.dk ldap_tls_cacert = /etc/ipa/ca.crt debug_level=5 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linux.dr.dk default_domain_suffix = NET.DR.DK # full_name_format = %1$s [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] With " full_name_format " commented out on client I get the full list of groups for a user: # sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd # getent passwd [email protected] [email protected]:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: # id [email protected] gives full groups list If I enable the " full_name_format " parameter I get: Clear cache. # sss_cache -E && rm -f /var/lib/sss/db/* && systemctl restart sssd #getent passwd [email protected] drextrha:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: but: id [email protected] uid=1349938498(drextrha) gid=1349938498(drextrha) groups=1349938498(drextrha),10012(ad_admins) only gives my primary group and a single IPA group Everything runnig RHEL 7.2, sssd 1.13.0-40.el7_2.12 Am I doing something wrong?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
