We're facing some intermittent failures in IPA server, where the corresponding IPA groups are not mapped correctly (some or all ipa groups are missing).
Short description of the set up: 2 IPA server nodes, both have a trust with AD servers that act as authenticators. The AD users get mapped based on Unix Attributes, and in IPA they belong to certain IPA groups for granting them access to server groups and sudo rules. What we're facing now is what seems to be a cache corruption or at least alteration with some information not being reflected in the cache. The workaround for now is to delete the cache (sometime in the client only, but occasionally also needed to delete it on the server). After that, the IPA groups are back again reported correctly, but eventually, after some 5 or 10 minutes, the groups are wrong again and users can not login (because they are not reported to belong to the group(s) that have access to the given server). The issue started after we patched (yum update) the first node. We did then not run the ipa-server-upgrade command after OS update. We have done it like a week after, and it reported to have completed successfully. But still the malfunctioning persists. Let us know which logs or config files we could provide you. Thanks and regards _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
