On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users wrote:
The ipa-client gets all its data from the IPA server and for efficiency the lookup on the server goes via the SSSD cache on the server.
While on the client during authentication the user data is refreshed unconditionally the old data might still be on the cache on the server. I would expect that when you call 'sss_cache -E' on the IPA server after changing the group memberships the client should see the new groups during authentication and access should be granted.
I cleared cache on the IPA server and restarted sssd after changing group membership, did the same on the client but it didn't help.