On 22 August 2017 at 00:46, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Mon, Aug 21, 2017 at 10:24:50AM +1000, Lachlan Musicman wrote:
> On 18 August 2017 at 17:33, Jakub Hrozek <jhrozek@redhat.com> wrote:
>
> Hmmm. Weird. We are still seeing the "AD group not reflected in cache"
> problem and am not seeing evidence of SSSD updating from the IPA server on
> request (via login from other machine, via id command).
>
> We have debug_level = 7 in [pam] and [domain/loremipsum], I have now added
> to [sssd] and [ssh] and will restart.
>
> Is there anything I should be looking out for?

The only other thing I can think of is the group scope. Please make sure
the group is not domain-local, other scopes will do.

Hmmm. No, the group is Universal, so that's ruled out. I'm really interested in this one. I wonder if it's because the ipa in CentOS is so ancient?

I added a user override yesterday and it's not noticably changed at all - her account still id's with the AD UID (1750704475) instead of the local UID number (5685), there's no recognition that her account has been added to the appropriate group.

I have tried all of the following without success:

sss_cache -u <username>
systemctl stop sssd; sss_cache -u <username>; systemctl start sssd;
systemctl stop sssd; sss_cache -E; systemctl start sssd;


I know that I can

systemctl stop sssd; rm -rf /var/lib/sss/db/*; systemctl start sssd;

I also know that this will *work*.

Unfortunately, we are finding with this set up (HBAC, pam.d, RStudio server) that it kills all active sessions, which is hard to manage on a high use node. ("Users get grumpy").

Also, I saw you mention recently that you wish people didn't do it, so I'm taking this opportunity to provide a debug opportunity - how do we make sss_cache work?

cheers
L.

------
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857