On 18 August 2017 at 17:33, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote:
> We use FreeIPA/SSSD to authenticate our RStudio Server, which we control
> via HBAC membership of an AD group.
...
> 1. Why is the group override not working and how can I get it working or
> change our set up so that it does work

Could you please describe how you set up the group membership with the
override so that we could set up a similar environment locally?


Users that are allowed to use the system belong to an AD group called bioinf_rstudio

In IPA (Centos 7.3, IPA v 4.4.0.14.el7 API: 2.213) there is

 - an external group called ad_rstudio, with an external member, bioinf_rstudio@<ad-domain>
 - a posix group called rstudio that has the external group ad_rstudio as a user group member
 - it has a single HBAC rule associated, called rstudio_access

 - rstudio_access allows users in the (posix) rstudio group access to the single server rstudio@<unix-domain> with the services login, rstudio and sshd.

The rstudio services has nothing else going on - it's just a label.

On the rstudio@<unix-domain> server we have a single file called /etc/pam.d/rstudio which contains

#%PAM-1.0
auth      required       pam_sss.so

account   required       pam_sss.so


> 2. If this is because users's are being timed out of the sss db cache
> (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a
> much much longer period?

During login, the group membership should always be fetched again from
the server, so the cache should effectively be ignored, precisely so that
we want the group membership to be very precise during login. The only
additional cache might be the sssd cache for the AD domain data, because
the identity data of the AD users are fetched from the IPA server.

But unless your group memberships or overrides are changing a lot, this
shouldn't be an issue.


Hmmm. Weird. We are still seeing the "AD group not reflected in cache" problem and am not seeing evidence of SSSD updating from the IPA server on request (via login from other machine, via id command).

We have debug_level = 7 in [pam] and [domain/loremipsum], I have now added to [sssd] and [ssh] and will restart.

Is there anything I should be looking out for?

We are using sssd 1.15.3 from COPR for Centos 7.3

cheers
L.






------
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857