6:47 a.m.
Hi Alexander,
>I don’t see any ‘memberUid’ attributes, but would expect to see
about 8 members.
Do you get those users from sssd?
E.g. 'getent group lcm-managedlinux@localdomain'?
No, this returns an empty list:
# getent group lcm-managedlinux@localdomain
lcm-managedlinux@localdomain:*:1388937688:
Due to the huge size of our AD and the large number of groups that most users belong to,
we have these settings on IPA masters:
ignore_group_members = True
subdomain_inherit = ignore_group_members
So it seems that this is the likely reason that the compat tree is not enumerating group
membership?
But if we were to change our configuration settings there would likely be a large
performance penalty.
Regards,
Robert.
________________________________
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Sent: Tuesday, 17 July 2018 5:47 PM
To: FreeIPA users list
Cc: Robert Sturrock
Subject: Re: [Freeipa-users] AD group membership information not enumerated in the
cn=compat tree?
On ti, 17 heinä 2018, Robert Sturrock via FreeIPA-users wrote:
Hello.
We are using FreeIPA primarily to connect our Linux fleet efficiently
to our organisational AD and it’s working well in that capacity.
However, we are investigating a number of different enterprise NAS
solutions to provide (kerberized) NFSv4 file services to this fleet.
We were hoping to integrate these NAS appliances with IPA by way of the
compat tree, since they don’t offer native IPA providers.
This works to a point, but I’ve noticed that the compat tree does not
seem to enumerate *group membership* for the AD trust users.
For example, when I lookup one of my groups with an ldapsearch against
one of the the IPA masters I see:
dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: ipaexternalgroup
objectClass: top
cn: lcm-managedlinux@localdomain
gidNumber: 1388937688
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg=
I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.
Do
you get those users from sssd?
E.g. 'getent group lcm-managedlinux@localdomain'?
Is this expected behaviour, or is there some additional configuration
needed to obtain this functionality?
Some searching online brought up these references ('Enable compat tree
to provide information about AD users and groups on trust agents’)
- https://bugzilla.redhat.com/show_bug.cgi?id=1585020
- https://pagure.io/freeipa/issue/7600<https://pagure.io/freeipa/issue/7...
These read very similarly to the behaviour we’re seeing.
Those bugs are about trust
agents, not trust controllers. If you only
have this on trust controllers, you have a different bug, if any.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland