Hi All.
We have IPA setup in an AD trust to support our Linux fleet. User home
directories are mounted from a Netapp filer (nfs4 with krb5). The filer
performs uid <-> uidNumber mapping required by kerberized nfs4 via IPA ldap
server.
This setup was working well until we patched our RHEL8 IPA servers last
week, specifically:
389-ds-base-1.4.3.23-14.module+el8.5.0+14377+c731dc97.x86_64
was updated to:
389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12.x86_64
and,
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
was updated to:
ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64
This seems to have broken something in IPA, the Netapp filer is no longer
able to resolve uid,uidNumber mappings for AD trust users (it still works
for IPA users.
Ad trust is still working, and IPA clients are able to resolve AD users
through sssd, and log them in (only the home directories are not working).
Directory server logs an entry like the following when the filer attempt lo
look up an AD trust user:
[21/Nov/2022:16:46:22.551318734 +1100] conn=14684 op=1 BIND
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
method=128 version=3
[21/Nov/2022:16:46:22.552177201 +1100] conn=14684 op=1 RESULT err=0 tag=97
nentries=0 wtime=0.000044925 optime=0.000864628 etime=0.000908138
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
[21/Nov/2022:16:46:22.554028669 +1100] conn=14684 op=2 SRCH
base="dc=ipa,dc=localdomain" scope=2 filter=
"(&(objectClass=posixAccount)(uid=username@localdomain))"
<(&(objectClass=posixAccount)(uid=baybars(a)unimelb.edu.au))> attrs="uid
uidNumber gidNumber userPassword gecos homeDirectory loginShell"
[21/Nov/2022:16:46:22.554212462 +1100] conn=14684 op=2 RESULT err=0 tag=101
nentries=0 wtime=0.000072472 optime=0.000185686 etime=0.000256338
[21/Nov/2022:16:46:24.003556166 +1100] conn=14205 op=10 UNBIND
Any pointers appreciated!
Regards, Yanlish