Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups.
Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups: # id peter.pakos uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing: # id peter.pakos uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) Similarly, getent is not showing group members: # getent group engineering engineering:*:511: Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 This is an example sssd.conf file I'm using in my tests: [domain/ipa.wandisco.com] ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://shdc01.ipa.wandisco.com, ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com, ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = ipa.wandisco.com [nss] [pam] [sudo] [autofs] [ssh] Am I missing anything in the sssd configuration? Any advice would be greatly appreciated. -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
