Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which are not part of the Default Trust View) are visible and groups displayed correctly on ipa clients. So far, I have removed cache on both ipa server and client, restarted sssd , removed /var/lib/sss/db/* but no success. I have enabled debugging as well for sss, nss , but nothing relevant . The odd thing is that sometimes I could query some of the users for which override was configured , but I do not know why (I tried to correlate with the group membership, number of groups the user is member of, etc but unsuccessfully ). On the ipa clients the sssd version I use is 1.16.1 and on the ipa server sssd version is 2.3.0 . Can that make a difference or be the cause of the issue ?
Any hint where I should look into would be really appreciated.
Am Tue, May 11, 2021 at 02:28:49PM -0000 schrieb iulian roman via FreeIPA-users:
Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which are not part of the Default Trust View) are visible and groups displayed correctly on ipa clients. So far, I have removed cache on both ipa server and client, restarted sssd , removed /var/lib/sss/db/* but no success. I have enabled debugging as well for sss, nss , but nothing relevant . The odd thing is that sometimes I could query some of the users for which override was configured , but I do not know why (I tried to correlate with the group membership, number of groups the user is member of, etc but unsuccessfully ). On the ipa clients the sssd version I use is 1.16.1 and on the ipa server sssd version is 2.3.0 . Can that make a difference or be the cause of the issue ?
Hi,
the typical reason for this behavior are primary GIDs which cannot be resolved to a name. If you set the primary GID for a user in an id-override this GID must belong to an existing group or must be the GID in a group id-override. If you call 'getent group GID' is must return a group.
HTH
bye, Sumit
Any hint where I should look into would be really appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
That was a good hint ! Actually it does return the gid when I run getent group <group_name> . And after I run the getent group <group_name> on the client side, I can run as well id <user_name> . So, only after I run getent group <group_name> on the ipa clients I can list the user attributes. Any idea what needs to be changed in order to have that working without that workaround (obviously i cannot do that for hundred users and thousand clients) ?
Iulian,
So, only after I run getent group <group_name> on the ipa clients I can list the user attributes.
This sounds somewhat similar to behavior I ran into initially in our development deployment. For the users that aren't immediately able to be resolved on the clients, are they mapped to any IdM POSIX group via an external membership? For example: ad_user_group_external is mapped to ad_user_group as an external member?
HTH,
John DeSantis
Il giorno mar 11 mag 2021 alle ore 11:10 iulian roman via FreeIPA-users freeipa-users@lists.fedorahosted.org ha scritto:
That was a good hint ! Actually it does return the gid when I run getent group <group_name> . And after I run the getent group <group_name> on the client side, I can run as well id <user_name> . So, only after I run getent group <group_name> on the ipa clients I can list the user attributes. Any idea what needs to be changed in order to have that working without that workaround (obviously i cannot do that for hundred users and thousand clients) ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi, There is indeed a mapping of ad groups to IdM posix groups. On Tuesday, May 11, 2021, 5:31 PM, John Desantis desantis@mail.usf.edu wrote:
Iulian,
So, only after I run getent group <group_name> on the ipa clients I can list the user attributes.
This sounds somewhat similar to behavior I ran into initially in our development deployment. For the users that aren't immediately able to be resolved on the clients, are they mapped to any IdM POSIX group via an external membership? For example: ad_user_group_external is mapped to ad_user_group as an external member?
HTH,
John DeSantis
Il giorno mar 11 mag 2021 alle ore 11:10 iulian roman via FreeIPA-users freeipa-users@lists.fedorahosted.org ha scritto:
That was a good hint ! Actually it does return the gid when I run getent group <group_name> . And after I run the getent group <group_name> on the client side, I can run as well id <user_name> . So, only after I run getent group <group_name> on the ipa clients I can list the user attributes. Any idea what needs to be changed in order to have that working without that workaround (obviously i cannot do that for hundred users and thousand clients) ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Tue, May 11, 2021 at 03:09:54PM -0000 schrieb iulian roman via FreeIPA-users:
That was a good hint ! Actually it does return the gid when I run getent group <group_name> . And after I run the getent group <group_name> on the client side, I can run as well id <user_name> .
Hi,
can you give some more details about the group, where it comes from IPA or AD, and the GID, it is the original GID of the group or coming from an id-override as well?
bye, Sumit
So, only after I run getent group <group_name> on the ipa clients I can list the user attributes. Any idea what needs to be changed in order to have that working without that workaround (obviously i cannot do that for hundred users and thousand clients) ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Tue, May 11, 2021 at 03:09:54PM -0000 schrieb iulian roman via FreeIPA-users:
Hi,
can you give some more details about the group, where it comes from IPA or AD, and the GID, it is the original GID of the group or coming from an id-override as well?
Hi,
There is trust between IPA and AD (non-posix trust) . All AD users which have a uidNumber and gidNumber configured in AD have been added in 'Default Trust View' and idoverride configured for them (the uid and gid override is the same like the one in AD). The same AD users which are configured above are as well part of IPA posix groups via group membership (ex. ad_unix_users is member of ipa unix_users group) in order to configure sudo rules for them. On the ipa servers and replicas i can query/list attributes for all users, on ipa clients i can list users (via id <username> command) for which uid/gid is overridden _only_ after i manually run getent group <default_user_gid>. For the users which do not have uid and gid overriden it works correctly.
I do not know if explanation is clear, but if you need more information, please let me know.
bye, Sumit
Am Wed, May 12, 2021 at 06:46:29AM -0000 schrieb iulian roman via FreeIPA-users:
Am Tue, May 11, 2021 at 03:09:54PM -0000 schrieb iulian roman via FreeIPA-users:
Hi,
can you give some more details about the group, where it comes from IPA or AD, and the GID, it is the original GID of the group or coming from an id-override as well?
Hi,
There is trust between IPA and AD (non-posix trust) . All AD users which have a uidNumber and gidNumber configured in AD have been added in 'Default Trust View' and idoverride configured for them (the uid and gid override is the same like the one in AD). The same AD users which are configured above are as well part of IPA posix groups via group membership (ex. ad_unix_users is member of ipa unix_users group) in order to configure sudo rules for them. On the ipa servers and replicas i can query/list attributes for all users, on ipa clients i can list users (via id <username> command) for which uid/gid is overridden _only_ after i manually run getent group <default_user_gid>. For the users which do not have uid and gid overriden it works correctly.
I do not know if explanation is clear, but if you need more information, please let me know.
Hi,
did you use the IPA 'unix_users' group as primary group for those users and given the GID of 'unix_users' in the id-overrides for the users? Or did you you a different group as primary group?
bye, Sumit
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Wed, May 12, 2021 at 06:46:29AM -0000 schrieb iulian roman via FreeIPA-users:
Hi,
did you use the IPA 'unix_users' group as primary group for those users and given the GID of 'unix_users' in the id-overrides for the users? Or did you you a different group as primary group?
No, unix_users is not primary group. The primary group is the one from AD (gidNumber) which is overridden in the view.
bye, Sumit
Am Wed, May 12, 2021 at 11:25:38AM -0000 schrieb iulian roman via FreeIPA-users:
Am Wed, May 12, 2021 at 06:46:29AM -0000 schrieb iulian roman via FreeIPA-users:
Hi,
did you use the IPA 'unix_users' group as primary group for those users and given the GID of 'unix_users' in the id-overrides for the users? Or did you you a different group as primary group?
No, unix_users is not primary group. The primary group is the one from AD (gidNumber) which is overridden in the view.
Hi,
can you check what are the results on the client if you call
getent group name_of_primary_group
and
getent group numeric_GID_of_primary_group
both with an empty cache, e.g. after calling:
systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
bye, Sumit
I think the very strange behaviour was due to the fact that I did not have a name for the gid in AD . As a workaround, I removed the gid from override (and let IPA generate one) . The interesting part was that getent did assign the username to the respective gid (therefore both getent group commands were successful ). I do not know if there is other alternative apart from adding a name for all GIDs in Active Directory in order to have the gid override working properly (if I define a posix group in IPA for the AD trust group does not work).
Am Fri, May 14, 2021 at 04:03:11PM -0000 schrieb iulian roman via FreeIPA-users:
I think the very strange behaviour was due to the fact that I did not have a name for the gid in AD . As a workaround, I removed the gid from override (and let IPA generate one) . The interesting part was that getent did assign the username to the respective gid (therefore both getent group commands were successful ).
Hi,
do you, by chance, use the same numrical value for UID and GID in the id-override for the user?
I do not know if there is other alternative apart from adding a name for all GIDs in Active Directory in order to have the gid override working properly (if I define a posix group in IPA for the AD trust group does not work).
Yes, this is currently expected, there must be a group with this GID or the GID is set in an id-override for a group.
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
iulian roman -
John Desantis -
roman iulian
-
Sumit Bose