We use FreeIPA/SSSD to authenticate our RStudio Server, which we control via HBAC membership of an AD group.
Our users are having their sessions ended frequently - once a day or more - with the logged message
17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be authenticated because they do not belong to one of the required groups (rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const std::string&, const std::string&, unsigned int, bool) /root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103
Most likely this is partially because RStudio server is overly aggressive, but I am also noticing that their log is telling the truth:
id <user>@<domain>
is not returning the full membership set of the user - in particular the user group overrides are not being registered. IE, I can see that <user> is in the appropriate AD group, but the IPA group that overrides it isn't being reported.
And hence the user is getting booted.
So, two questions:
1. Why is the group override not working and how can I get it working or change our set up so that it does work
2. If this is because users's are being timed out of the sss db cache (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a much much longer period?
cheers L.
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
sssd-users@lists.fedorahosted.org