Hi Alexander,

>>I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.

>Do you get those users from sssd? 
>E.g. 'getent group lcm-managedlinux@localdomain'?

No, this returns an empty list:

# getent group lcm-managedlinux@localdomain
lcm-managedlinux@localdomain:*:1388937688:

Due to the huge size of our AD and the large number of groups that most users belong to, we have these settings on IPA masters:

ignore_group_members = True
subdomain_inherit = ignore_group_members


So it seems that this is the likely reason that the compat tree is not enumerating group membership?


But if we were to change our configuration settings there would likely be a large performance penalty.


Regards,


Robert.


From: Alexander Bokovoy <abokovoy@redhat.com>
Sent: Tuesday, 17 July 2018 5:47 PM
To: FreeIPA users list
Cc: Robert Sturrock
Subject: Re: [Freeipa-users] AD group membership information not enumerated in the cn=compat tree?
 
On ti, 17 heinä 2018, Robert Sturrock via FreeIPA-users wrote:
>Hello.
>
>We are using FreeIPA primarily to connect our Linux fleet efficiently
>to our organisational AD and it’s working well in that capacity.
>
>However, we are investigating a number of different enterprise NAS
>solutions to provide (kerberized) NFSv4 file services to this fleet.
>We were hoping to integrate these NAS appliances with IPA by way of the
>compat tree, since they don’t offer native IPA providers.
>
>This works to a point, but I’ve noticed that the compat tree does not
>seem to enumerate *group membership* for the AD trust users.
>
>For example, when I lookup one of my groups with an ldapsearch against
>one of the the IPA masters I see:
>
> dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain
> objectClass: ipaOverrideTarget
> objectClass: posixGroup
> objectClass: ipaexternalgroup
> objectClass: top
> cn: lcm-managedlinux@localdomain
> gidNumber: 1388937688
> ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg=
>
>I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.
Do you get those users from sssd?
E.g. 'getent group lcm-managedlinux@localdomain'?




>Is this expected behaviour, or is there some additional configuration
>needed to obtain this functionality?
>
>Some searching online brought up these references ('Enable compat tree
>to provide information about AD users and groups on trust agents’)
>
> - https://bugzilla.redhat.com/show_bug.cgi?id=1585020
> - https://pagure.io/freeipa/issue/7600
>
>These read very similarly to the behaviour we’re seeing.
Those bugs are about trust agents, not trust controllers. If you only
have this on trust controllers, you have a different bug, if any.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland