We use FreeIPA/SSSD to authenticate our RStudio Server, which we control via HBAC membership of an AD group.

Our users are having their sessions ended frequently - once a day or more - with the logged message

17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be authenticated because they do not belong to one of the required groups (rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const std::string&, const std::string&, unsigned int, bool) /root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103

Most likely this is partially because RStudio server is overly aggressive, but I am also noticing that their log is telling the truth:

id <user>@<domain>

is not returning the full membership set of the user - in particular the user group overrides are not being registered. IE, I can see that <user> is in the appropriate AD group, but the IPA group that overrides it isn't being reported.

And hence the user is getting booted.

So, two questions:

1. Why is the group override not working and how can I get it working or change our set up so that it does work

2. If this is because users's are being timed out of the sss db cache (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a much much longer period?

cheers
L.




------
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857