On Wed, Jul 12, 2017 at 02:48:47PM -0000, bogusmaster--- via FreeIPA-users wrote:
On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users wrote:
The ipa-client gets all its data from the IPA server and for efficiency the lookup on the server goes via the SSSD cache on the server.
While on the client during authentication the user data is refreshed unconditionally the old data might still be on the cache on the server. I would expect that when you call 'sss_cache -E' on the IPA server after changing the group memberships the client should see the new groups during authentication and access should be granted.
HTH
bye, Sumit
I have verified that hint. I've stopped sssd daemon, cleared the cache and started it back again. Although ipa commands are returning correct members of the group, when in issue getent group ... on the server it still returns old members of the group that are not present in the group returned by ipa command. Can you please advise on how I can troubleshoot it further?
This sounds that SSSD cannot connect to the IPA server and returns old data from the cache.
Can you check if
sssctl domain-status your.ipa.domain
returns 'Offline' or check the sss_your.ipa.domain.log file for any messages related to connection failures and going offline? You might need to increase the debug_level for the latter.
bye, Sumit
Best, Bart _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org