We use FreeIPA/SSSD to authenticate our RStudio Server, which we control
via HBAC membership of an AD group.
Our users are having their sessions ended frequently - once a day or more -
with the logged message
17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be
authenticated because they do not belong to one of the required groups
(rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const
std::string&, const std::string&, unsigned int, bool)
/root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103
Most likely this is partially because RStudio server is overly aggressive,
but I am also noticing that their log is telling the truth:
id <user>@<domain>
is not returning the full membership set of the user - in particular the
user group overrides are not being registered. IE, I can see that <user> is
in the appropriate AD group, but the IPA group that overrides it isn't
being reported.
And hence the user is getting booted.
So, two questions:
1. Why is the group override not working and how can I get it working or
change our set up so that it does work
2. If this is because users's are being timed out of the sss db cache
(/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a
much much longer period?
cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857