On ti, 22 marras 2022, Yanlish Hesap via FreeIPA-users wrote:
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. User home directories are mounted from a Netapp filer (nfs4 with krb5). The filer performs uid <-> uidNumber mapping required by kerberized nfs4 via IPA ldap server.
This setup was working well until we patched our RHEL8 IPA servers last week, specifically: 389-ds-base-1.4.3.23-14.module+el8.5.0+14377+c731dc97.x86_64 was updated to: 389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12.x86_64 and, ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 was updated to: ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64
This seems to have broken something in IPA, the Netapp filer is no longer able to resolve uid,uidNumber mappings for AD trust users (it still works for IPA users.
Ad trust is still working, and IPA clients are able to resolve AD users through sssd, and log them in (only the home directories are not working).
Directory server logs an entry like the following when the filer attempt lo look up an AD trust user: [21/Nov/2022:16:46:22.551318734 +1100] conn=14684 op=1 BIND dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain" method=128 version=3 [21/Nov/2022:16:46:22.552177201 +1100] conn=14684 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.000044925 optime=0.000864628 etime=0.000908138 dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain" [21/Nov/2022:16:46:22.554028669 +1100] conn=14684 op=2 SRCH base="dc=ipa,dc=localdomain" scope=2 filter= "(&(objectClass=posixAccount)(uid=username@localdomain))" <(&(objectClass=posixAccount)(uid=baybars@unimelb.edu.au))> attrs="uid uidNumber gidNumber userPassword gecos homeDirectory loginShell" [21/Nov/2022:16:46:22.554212462 +1100] conn=14684 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000072472 optime=0.000185686 etime=0.000256338 [21/Nov/2022:16:46:24.003556166 +1100] conn=14205 op=10 UNBIND
Any pointers appreciated!
This looks like you are relying on the compat tree functionality for represent AD users in the compat tree (cn=compat,$BASEDN). Compat tree is using SSSD on IPA master to resolve these requests so there should be traces of those operations, if it succeeded/failed. Raise debug logs in SSSD to see those.