[Freeipa-users] SSSD restart is required for AD users to work

[Anestis Karampatziakis via FreeIPA-users]

Hi,

Recently we established a one-way trust between our FreeIPA server and a 
client’s AD domain.
Users and groups have been created and mapped; we are now testing user access, 
hbac and sudo rules.

An issue we came across is that on all clients we need to restart SSSD for the 
correct usergroups and group membership to appear on id and getent command.

Check test_user user and group membership:
[root@server1 root]# id test_u...@ad.domain.com
uid=370001170(test_u...@ad.domain.com) 
gid=370001170(test_u...@ad.domain.com<mailto:test_u...@ad.domain.com>)
groups=370001170(test_u...@ad.domain.com)

[root@server1 root]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service

Recheck user, new groups appear.
[root@server1 root]# id test_u...@ad.domain.com
uid=370001170(test_u...@ad.domain.com) 
gid=370001170(test_u...@ad.domain.com<mailto:test_u...@ad.domain.com>)
groups=370001170(test_u...@ad.domain.com),370001628(ad_gr...@ad.domain.com),1262600020(posix_group),370000513(domain
 us...@ad.domain.com)

370001628(ad_gr...@ad.domain.com<mailto:ad_gr...@ad.domain.com>) and 
1262600020(posix_group) are the FreeIPA posix group and the mapped AD group.

Another thing is that although sssd restart appears to resolve the issue, when 
checking the next usergroup we need to do the same exercise.

Check test_user2 user and group membership:
root@server1 root# id test_user2@ad_domain
uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)
groups=370001175(test_user2@ad_domain),370000513(domain users@ad_domain)

root@server1 root# getent group posix_group2
[empty response]

Responses are not correct. Restart SSSD.
root@server1 root# service sssd restart

Check again:
root@server1 root# id test_user2@ad_domain
uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)
groups=370001175(test_user2@ad_domain),370000513(domain 
users@ad_domain),370001634(ad_group2@ad_domain),1262600032(posix_group2)

root@server1 root# getent group posix_group2
ad_pis_users:*:1262600032:test_user2@ad_domain

Response is correct and users can login according to hbac and sudo rules.

Our FreeIPA server version is: 4.6.6-11.el7.centos

Is there something we have missing in our configuration?

Thanks,
Anestis

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure