Hi,

 

Recently we established a one-way trust between our FreeIPA server and a client’s AD domain.

Users and groups have been created and mapped; we are now testing user access, hbac and sudo rules.

 

An issue we came across is that on all clients we need to restart SSSD for the correct usergroups and group membership to appear on id and getent command.

 

Check test_user user and group membership:

[root@server1 root]# id test_user@ad.domain.com

uid=370001170(test_user@ad.domain.com) gid=370001170(test_user@ad.domain.com)

groups=370001170(test_user@ad.domain.com)

 

[root@server1 root]# service sssd restart

Redirecting to /bin/systemctl restart sssd.service

 

Recheck user, new groups appear.

[root@server1 root]# id test_user@ad.domain.com

uid=370001170(test_user@ad.domain.com) gid=370001170(test_user@ad.domain.com)

groups=370001170(test_user@ad.domain.com),370001628(ad_group@ad.domain.com),1262600020(posix_group),370000513(domain users@ad.domain.com)

 

370001628(ad_group@ad.domain.com) and 1262600020(posix_group) are the FreeIPA posix group and the mapped AD group.

 

Another thing is that although sssd restart appears to resolve the issue, when checking the next usergroup we need to do the same exercise.

 

Check test_user2 user and group membership:

root@server1 root# id test_user2@ad_domain

uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)

groups=370001175(test_user2@ad_domain),370000513(domain users@ad_domain)

 

root@server1 root# getent group posix_group2

[empty response]

 

Responses are not correct. Restart SSSD.

root@server1 root# service sssd restart

 

Check again:

root@server1 root# id test_user2@ad_domain

uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)

groups=370001175(test_user2@ad_domain),370000513(domain users@ad_domain),370001634(ad_group2@ad_domain),1262600032(posix_group2)

 

root@server1 root# getent group posix_group2

ad_pis_users:*:1262600032:test_user2@ad_domain

 

Response is correct and users can login according to hbac and sudo rules.

 

Our FreeIPA server version is: 4.6.6-11.el7.centos

 

Is there something we have missing in our configuration?

 

Thanks,

Anestis