SSSD intermittently failing to resolve external groups for an AD user in IPA-AD trust environment

Solution Verified - Updated -

Issue

Occasionally AD users fails to login IPA clients due to HBAC errors.
IPA is linked to a AD server via a IPA <-> AD trust.
AD users are mapped to External group within IPA which is being mapped to a POSIX group used within HBAC rule to allow access.

At times we could see during the login attempt, its failing to see the external group information. Due to this HBAC rule is denying login access to the client.

Environment

IPA client - Red Hat Enterprise Linux Server release 6.6
IPA client -sssd-1.13.3-22.el6.x86_64
IPA Server - ipa-server-4.4.0-14.el7_3.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.