Hi All.
We have IPA setup in an AD trust to support our Linux
fleet. User home directories are mounted from a Netapp filer (nfs4 with
krb5). The filer performs uid <-> uidNumber mapping required by
kerberized nfs4 via IPA ldap server.
This setup was working well until we patched our RHEL8 IPA servers last week, specifically:
389-ds-base-1.4.3.23-14.module+el8.5.0+14377+c731dc97.x86_64
was updated to:
389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12.x86_64
and,
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
was updated to:
ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64
This
seems to have broken something in IPA, the Netapp filer is no longer
able to resolve uid,uidNumber mappings for AD trust users (it still
works for IPA users.
Ad trust is still working, and IPA clients
are able to resolve AD users through sssd, and log them in (only the
home directories are not working).
Directory server logs an entry like the following when the filer attempt lo look up an AD trust user:
[21/Nov/2022:16:46:22.551318734 +1100] conn=14684 op=1 BIND
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
method=128 version=3
[21/Nov/2022:16:46:22.552177201 +1100] conn=14684 op=1 RESULT err=0
tag=97 nentries=0 wtime=0.000044925 optime=0.000864628 etime=0.000908138
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
[21/Nov/2022:16:46:22.554028669 +1100] conn=14684 op=2 SRCH
base="dc=ipa,dc=localdomain" scope=2
filter="(&(objectClass=posixAccount)(uid=username@localdomain))"
attrs="uid uidNumber gidNumber userPassword gecos homeDirectory loginShell"
[21/Nov/2022:16:46:22.554212462 +1100] conn=14684 op=2 RESULT err=0
tag=101 nentries=0 wtime=0.000072472 optime=0.000185686 etime=0.000256338
[21/Nov/2022:16:46:24.003556166 +1100] conn=14205 op=10 UNBIND
Any pointers appreciated!
Regards, Yanlish