Hi,
Recently we established a one-way trust between our FreeIPA server and a client’s AD
domain.
Users and groups have been created and mapped; we are now testing user access, hbac and
sudo rules.
An issue we came across is that on all clients we need to restart SSSD for the correct
usergroups and group membership to appear on id and getent command.
Check test_user user and group membership:
[root@server1 root]# id test_user(a)ad.domain.com
uid=370001170(test_user(a)ad.domain.com)
gid=370001170(test_user@ad.domain.com<mailto:test_user@ad.domain.com>)
groups=370001170(test_user(a)ad.domain.com)
[root@server1 root]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
Recheck user, new groups appear.
[root@server1 root]# id test_user(a)ad.domain.com
uid=370001170(test_user(a)ad.domain.com)
gid=370001170(test_user@ad.domain.com<mailto:test_user@ad.domain.com>)
groups=370001170(test_user@ad.domain.com),370001628(ad_group(a)ad.domain.com),1262600020(posix_group),370000513(domain
users(a)ad.domain.com)
370001628(ad_group@ad.domain.com<mailto:ad_group@ad.domain.com>) and
1262600020(posix_group) are the FreeIPA posix group and the mapped AD group.
Another thing is that although sssd restart appears to resolve the issue, when checking
the next usergroup we need to do the same exercise.
Check test_user2 user and group membership:
root@server1 root# id test_user2@ad_domain
uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)
groups=370001175(test_user2@ad_domain),370000513(domain users@ad_domain)
root@server1 root# getent group posix_group2
[empty response]
Responses are not correct. Restart SSSD.
root@server1 root# service sssd restart
Check again:
root@server1 root# id test_user2@ad_domain
uid=370001175(test_user2@ad_domain) gid=370001175(test_user2@ad_domain)
groups=370001175(test_user2@ad_domain),370000513(domain
users@ad_domain),370001634(ad_group2@ad_domain),1262600032(posix_group2)
root@server1 root# getent group posix_group2
ad_pis_users:*:1262600032:test_user2@ad_domain
Response is correct and users can login according to hbac and sudo rules.
Our FreeIPA server version is: 4.6.6-11.el7.centos
Is there something we have missing in our configuration?
Thanks,
Anestis
Show replies by thread