On Mon, 2022-08-08 at 12:01 -0400, Ranbir via FreeIPA-users wrote:
It's the CentOS 7 client that's also reporting not being able
to find
the name for the admin group ID.
After a lot of testing, I've narrowed the problem down to when I use ID
Views. As soon as I've applied an ID View on a server for a user that
changes that user's UID, the group ID error rears its ugly head. I
managed to replicate the same behaviour on Ubuntu 18, Ubuntu 22, CentOS
7, Rocky Linux 8 and AlmaLinux 9.
I haven't seen this issue in older releases of freeipa/IdM and I don't
believe I've made any configuration mistakes.
Here's what the general sssd.conf looks like on the clients:
[
domain/idm.tld.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
idm.tld.com
ipa_server = _srv_,
derpmaster01.idm.tld.com
ipa_hostname =
derpclient01.idm.tld.com
id_provider = ipa
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_sudo_full_refresh_interval = 10800
ldap_sudo_smart_refresh_interval = 450
entry_cache_timeout = 3600
entry_cache_sudo_timeout = 900
refresh_expired_interval = 2700
[
domain/idm.tld.com/corp.ad.tld.com]
ad_site = site1
[sssd]
services = nss, sudo, pam, ssh
domains =
idm.tld.com
[nss]
entry_cache_nowait_percentage = 75
default_shell = /bin/bash
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
Here's the sssd.conf config on the masters:
[
domain/idm.tld.com]
id_provider = ipa
ipa_server_mode = True
ipa_server =
derpmaster03.idm.tld.com
ipa_domain =
idm.tld.com
ipa_hostname =
derpmaster03.idm.tld.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
krb5_store_password_if_offline = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomain_homedir = /folk/%u
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
[
domain/idm.tld.com/corp.ad.tld.com]
ad_site = site2
[
domain/corp.ad.tld.com]
ignore_group_members = True
subdomain_inherit = ignore_group_members
[sssd]
services = nss, pam, ssh, sudo, ifp
domains =
idm.tld.com
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[session_recording]
Am I doing something incorrectly?
--
Ranbir