On 3/23/21 10:38 AM, Miguel Hinojosa via FreeIPA-users wrote:
We're facing some intermittent failures in IPA server, where the
corresponding IPA groups are not mapped correctly (some or all ipa groups are missing).
Short description of the set up: 2 IPA server nodes, both have a trust with AD servers
that act as authenticators. The AD users get mapped based on Unix Attributes, and in IPA
they belong to certain IPA groups for granting them access to server groups and sudo
rules.
What we're facing now is what seems to be a cache corruption or at least alteration
with some information not being reflected in the cache. The workaround for now is to
delete the cache (sometime in the client only, but occasionally also needed to delete it
on the server). After that, the IPA groups are back again reported correctly, but
eventually, after some 5 or 10 minutes, the groups are wrong again and users can not login
(because they are not reported to belong to the group(s) that have access to the given
server).
The issue started after we patched (yum update) the first node. We did then not run the
ipa-server-upgrade command after OS update. We have done it like a week after, and it
reported to have completed successfully. But still the malfunctioning persists.
Let us know which logs or config files we could provide you.
Hi,
which IPA + SSSD versions are installed on the server/client?
Your issue looks similar to
https://pagure.io/freeipa/issue/8044 but
this problem was fixed a while ago.
In order to troubleshoot, you can add debug_level = 9 to sssd.conf, see
[1] for more information.
Does the id command return the correct list of groups on the master
configured as trust controller (group id and group name are present in
"id" output)?
Are the missing groups defined on AD side or on IPA side?
flo
[1]
https://sssd.io/docs/users/troubleshooting.html
Thanks and regards
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure