On ti, 17 heinä 2018, Robert Sturrock via FreeIPA-users wrote:
Hello.
We are using FreeIPA primarily to connect our Linux fleet efficiently
to our organisational AD and it’s working well in that capacity.
However, we are investigating a number of different enterprise NAS
solutions to provide (kerberized) NFSv4 file services to this fleet.
We were hoping to integrate these NAS appliances with IPA by way of the
compat tree, since they don’t offer native IPA providers.
This works to a point, but I’ve noticed that the compat tree does not
seem to enumerate *group membership* for the AD trust users.
For example, when I lookup one of my groups with an ldapsearch against
one of the the IPA masters I see:
dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: ipaexternalgroup
objectClass: top
cn: lcm-managedlinux@localdomain
gidNumber: 1388937688
ipaAnchorUUID::
OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg=
I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.
Do
you get those users from sssd?
E.g. 'getent group lcm-managedlinux@localdomain'?
Is this expected behaviour, or is there some additional configuration
needed to obtain this functionality?
Some searching online brought up these references ('Enable compat tree
to provide information about AD users and groups on trust agents’)
-
https://bugzilla.redhat.com/show_bug.cgi?id=1585020
-
https://pagure.io/freeipa/issue/7600
These read very similarly to the behaviour we’re seeing.
Those bugs are about trust
agents, not trust controllers. If you only
have this on trust controllers, you have a different bug, if any.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland