FreeIPA Kerberized NFSv4 Group Membership Issue

Latest response

Hello,
We have a FreeIPA domain running with several NFS clients auto-mounting a Kerberized NFSv4 server (krb5p).

We're running the latest RHEL 7.6 on all nodes and everything is working great with one exception: it takes 24 hours after removing a user from an IPA group for them to lose access to a share.

Procedure:
1. User logs into NFS client and browses a group-restricted share.
2. FreeIPA admin removes that user from the group which grants access to the aforementioned share.
3. User logs out of the client, back in and browses the share again without issue (despite the group no longer appearing with the id/groups command).
4. Reboot the client or wait 24 hours and the user loses access as expected.

Is there a way to ensure group changes in IPA are immediately honored by the NFS clients?

Thanks!

Responses

Hi Keith,

If I remember it correctly the sssd cache timers are by default set to 24h.

So the client does not refresh sooner.

So you need to tweak the sssd config on all clients.

Due to lack of experience I cannot help you, sorry.

Regards,

Jan Gerrit

Hi Jan, Thank you for your response!

Unfortunately, I think there is more to it than just the SSSD cache. I can clear the cache (systemctl stop sssd && sss_cache -E && rm -rf /var/lib/sss/db/* && systemctl start sssd) and the group changes are still not obeyed. I need to either reboot the box or wait a day.

Is there another cache I should be looking at (I have also tried destroying and re-obtaining Kerberos tickets without any luck).

-Keith

Bump! Anyone have experience with FreeIPA groups and Kerberized NFSv4?

Bueller? Anyone? :)