Hello.
We are using FreeIPA primarily to connect our Linux fleet efficiently to our
organisational AD and it’s working well in that capacity.
However, we are investigating a number of different enterprise NAS solutions to provide
(kerberized) NFSv4 file services to this fleet. We were hoping to integrate these NAS
appliances with IPA by way of the compat tree, since they don’t offer native IPA
providers.
This works to a point, but I’ve noticed that the compat tree does not seem to enumerate
*group membership* for the AD trust users.
For example, when I lookup one of my groups with an ldapsearch against one of the the IPA
masters I see:
dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: ipaexternalgroup
objectClass: top
cn: lcm-managedlinux@localdomain
gidNumber: 1388937688
ipaAnchorUUID::
OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg=
I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.
Is this expected behaviour, or is there some additional configuration needed to obtain
this functionality?
Some searching online brought up these references ('Enable compat tree to provide
information about AD users and groups on trust agents’)
-
https://bugzilla.redhat.com/show_bug.cgi?id=1585020
-
https://pagure.io/freeipa/issue/7600
These read very similarly to the behaviour we’re seeing.
Regards,
Robert.