| |
@@ -406,6 +406,15 @@
|
| |
can set the ``ad_enabled_domains`` option to selectively enable only
|
| |
the reachable domains.
|
| |
|
| |
+ * SSSD keeps switching to offline mode with a ``DEBUG`` message saying ``Service resolving timeout reached``
|
| |
+
|
| |
+ * This might happen if the service resolution reaches the configured
|
| |
+ time out before SSSD is able to perform all the steps needed for service
|
| |
+ resolution in a complex AD forest, such as locating the site or cycling
|
| |
+ over unreachable DCs. Please check the ``FAILOVER`` section in the
|
| |
+ man pages Often, increasing the ``dns_resolver_timeout`` option
|
| |
+ helps to allow more time for the service discovery.
|
| |
+
|
| |
* A group my user is a member of doesn't display in the ``id`` output
|
| |
|
| |
* Cases like this are best debugged from an empty cache. Check if the
|
| |
@@ -549,11 +558,24 @@
|
| |
|
| |
* Use the ``ipa hbactest`` utility on the IPA server to see if the user is permitted access. The SSSD uses the same code as ``ipa hbactest``
|
| |
|
| |
+ * In an IPA-AD trust setup, a user from the AD domain only lists his AD group membership, not the IPA external groups
|
| |
* HBAC prevents access for a user from a trusted AD domain, where the HBAC rule is mapped to an IPA group via an AD group
|
| |
|
| |
* Make sure the group scope of the AD group mapped to the rule is not
|
| |
`domain-local`. Domain-local groups can't cross the trust boundary and
|
| |
cannot be therefore used for HBAC rules.
|
| |
+ * Check the keytab on the IPA client and make sure that it only contains
|
| |
+ entries from the IPA domain. If the keytab contains an entry from the
|
| |
+ AD domain, the PAC code might pick this entry for an AD user and then
|
| |
+ the PAC would only contain the AD groups, because the PAC would then
|
| |
+ be verified with the help of the AD KDC which knows nothing about the
|
| |
+ IPA groups and removes them from the PAC
|
| |
+ * Check the PAC with the help of a
|
| |
+ `dedicated IPA wiki page <https://www.freeipa.org/page/Howto/Inspecting_the_PAC>`_
|
| |
+ If the PAC contains the group, but it is not displayed on the client, then the issue
|
| |
+ is on the client side. If the PAC doesn't display the group in the PAC, then the
|
| |
+ issue is on the IPA KDC side. This would at least enable you to ask
|
| |
+ better questions on the user support lists.
|
| |
* There was an irritating `SSSD bug
|
| |
<https://pagure.io/SSSD/sssd/issue/3382>`_ that manifested as SSSD not
|
| |
listing some of the groups in the SSSD logs during the HBAC check. Make
|
| |
One is about IPA-AD setup troubleshooting, the other about service resolution. Both cases came up more than once, so it makes sense to document them.