HBAC rules fail randomly for AD users on RHEL7.1

Solution In Progress - Updated -

Issue

RHEL7.1 IPA client which is a member of AD domain trusted by RHEL7.1 IPA domain. Things work fine for a day or so and then users start getting access denied by HBAC rules. I see this in the domain log when they attempt to login:

(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [hbac_eval_user_element] (0x1000): [3] groups for [user1@domain.local]
(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

hbactest on the client and server both pass.

[root@hostname sssd]# ipa hbactest --user user1@domain.local --host 'hostname.domain.linux' --service sshd
-------------------- 
Access granted: True 
-------------------- 
  Matched rules: allow_users
  Not matched rules: allow_all

Environment

Red Hat Enterprise Linux 7.1
ipa-server-4.1.0-18.el7_1.3.x86_64
sssd-1.12.2-58.el7_1.14.x86_64
Trusted Active directory domain

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content