Hi,
We have an environment with mixed OSX and CentOS computers and IPA is working great for almost everything.
The only problem that we have (besides the known ones) is that the IPA user logged to an OSX computer is not getting group information. Logged to a CentOS, the `id` command shows all the groups assigned to the user but running the same command on an OSX under the same user, the groups are different, mainly Apple groups and not our IPA groups. Does anyone had this problem?
So, because of this, ACL permissions on our NFS server is not working for OSX machines, but are working great for CentOS ones.
Thanks!
Luiz Garrido
Hi Luiz,
Would you please verify your settings in: System Preferences > Users & Groups > Login Options > Network Account Server > Directory Utility > Services > LDAP > Your LDAP server > Search & Mappings There should be a Record Type called 'Groups' with an attribute 'PrimaryGroupID' that is mapped to 'gidNumber.'
On Mon, Jul 24, 2017 at 5:16 PM, Luiz Garrido ALKEMY X via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi,
We have an environment with mixed OSX and CentOS computers and IPA is working great for almost everything.
The only problem that we have (besides the known ones) is that the IPA user logged to an OSX computer is not getting group information. Logged to a CentOS, the `id` command shows all the groups assigned to the user but running the same command on an OSX under the same user, the groups are different, mainly Apple groups and not our IPA groups. Does anyone had this problem?
So, because of this, ACL permissions on our NFS server is not working for OSX machines, but are working great for CentOS ones.
Thanks!
Luiz Garrido
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Luiz
Oh yes, I had this problem. But getting functionality on OS-X was not a simple matter. Do you have documentation on how you got there?
- grant
On Jul 24, 2017, at 14:16, Luiz Garrido ALKEMY X via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
We have an environment with mixed OSX and CentOS computers and IPA is working great for almost everything.
The only problem that we have (besides the known ones) is that the IPA user logged to an OSX computer is not getting group information. Logged to a CentOS, the `id` command shows all the groups assigned to the user but running the same command on an OSX under the same user, the groups are different, mainly Apple groups and not our IPA groups. Does anyone had this problem?
So, because of this, ACL permissions on our NFS server is not working for OSX machines, but are working great for CentOS ones.
Thanks!
Luiz Garrido
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Our setup is really close to this how-to:
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12
Just a little different because this didn't exist when we did the configuration. But even if you follow that, users on Mac are not getting IPA groups and without correct groups, ALCs are not working for those workstations.
Luiz
On 07/25/2017 10:36 AM, Grant Janssen wrote:
Luiz
Oh yes, I had this problem. But getting functionality on OS-X was not a simple matter. Do you have documentation on how you got there?
- grant
On Jul 24, 2017, at 14:16, Luiz Garrido ALKEMY X via FreeIPA-users freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org wrote:
Hi,
We have an environment with mixed OSX and CentOS computers and IPA is working great for almost everything.
The only problem that we have (besides the known ones) is that the IPA user logged to an OSX computer is not getting group information. Logged to a CentOS, the `id` command shows all the groups assigned to the user but running the same command on an OSX under the same user, the groups are different, mainly Apple groups and not our IPA groups. Does anyone had this problem?
So, because of this, ACL permissions on our NFS server is not working for OSX machines, but are working great for CentOS ones.
Thanks!
Luiz Garrido
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
grant@ef-idm02:~[20170725-9:05][#56]$ ipa_check_consistency -d PRODUCTION.EFILM.COMhttp://PRODUCTION.EFILM.COM -W mypa$$w0rD FreeIPA servers: ef-idm01 ef-idm02 STATE ================================================= Active Users 45 45 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 18 18 OK Hosts 47 66 FAIL Host Groups 4 4 OK HBAC Rules 1 1 OK SUDO Rules 3 3 OK DNS Zones ERROR ERROR OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Replication Status ef-idm02 0 ef-idm01 18 ================================================= grant@ef-idm02:~[20170725-9:05][#57]$
How would one go about resolving this?
- grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count.
On Jul 25, 2017, at 09:11, Grant Janssen <Grant.Janssen@efilm.commailto:Grant.Janssen@efilm.com> wrote:
grant@ef-idm02:~[20170725-9:05][#56]$ ipa_check_consistency -d PRODUCTION.EFILM.COMhttp://production.efilm.com/ -W mypa$$w0rD FreeIPA servers: ef-idm01 ef-idm02 STATE ================================================= Active Users 45 45 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 18 18 OK Hosts 47 66 FAIL Host Groups 4 4 OK HBAC Rules 1 1 OK SUDO Rules 3 3 OK DNS Zones ERROR ERROR OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Replication Status ef-idm02 0 ef-idm01 18 ================================================= grant@ef-idm02:~[20170725-9:05][#57]$
How would one go about resolving this?
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Grant,
Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count.
On Jul 25, 2017, at 09:11, Grant Janssen Grant.Janssen@efilm.com wrote:
What's going on with DNS on these two hosts? Are they pointing to the same DNS server? Are there kerberos and ldap records. mpapet
From: Grant Janssen via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Justin Sheehy Justin.Sheehy@efilm.com; Douglas Loeb Douglas.Loeb@efilm.com; Grant Janssen Grant.Janssen@efilm.com Sent: Monday, July 31, 2017 6:43 AM Subject: [Freeipa-users] Re: I appear to have an issue with "hosts" on my replica
Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count.
On Jul 25, 2017, at 09:11, Grant Janssen Grant.Janssen@efilm.com wrote: grant@ef-idm02:~[20170725-9:05][#56]$ipa_check_consistency -d PRODUCTION.EFILM.COM -W mypa$$w0rDFreeIPA servers: ef-idm01 ef-idm02 STATE=================================================Active Users 45 45 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 18 18 OK Hosts 47 66 FAIL Host Groups 4 4 OK HBAC Rules 1 1 OK SUDO Rules 3 3 OK DNS Zones ERROR ERROR OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Replication Status ef-idm02 0 ef-idm01 18 =================================================grant@ef-idm02:~[20170725-9:05][#57]$ How would one go about resolving this? - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed._______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
The resolv.conf is identical on both systems, DNS is solid. SRV records are functioning as expected. I looked at everything and failing to find a resolution, sought advice here on the board. Now that these are out of sync, how would one manually initiate a sync? I haven’t found this in the documentation.
- grant
Grant,
Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count.
What's going on with DNS on these two hosts? Are they pointing to the same DNS server? Are there kerberos and ldap records.
mpapet
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Have you tried the replication management script? ipa-replica-manage(1): Manage IPA replica - Linux man page
| | | | | |
|
| | | | ipa-replica-manage(1): Manage IPA replica - Linux man page Manages the replication agreements of an IPA server. connect [SERVER_A] <SERVER_B> - Adds a new replicatio... | |
|
|
From: Grant Janssen Grant.Janssen@efilm.com To: Michael Papet mpapet@yahoo.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Justin Sheehy Justin.Sheehy@efilm.com; Douglas Loeb Douglas.Loeb@efilm.com Sent: Tuesday, August 1, 2017 7:58 AM Subject: Re: [Freeipa-users] Re: I appear to have an issue with "hosts" on my replica
The resolv.conf is identical on both systems, DNS is solid. SRV records are functioning as expected. I looked at everything and failing to find a resolution, sought advice here on the board. Now that these are out of sync, how would one manually initiate a sync? I haven’t found this in the documentation. - grant
Grant, Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count.
What's going on with DNS on these two hosts? Are they pointing to the same DNS server? Are there kerberos and ldap records. mpapet
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
Luiz,
Would you please run the below command from an OS X workstation's terminal to test look-up/caching of groups? If it displays a gid then we know the issue isn't LDAP mapping.
dscacheutil -q group -a name *yourGroupName*
On Tue, Jul 25, 2017 at 11:30 AM, Luiz Garrido ALKEMY X via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Our setup is really close to this how-to:
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_ for_Mac_OS_X_10.12
Just a little different because this didn't exist when we did the configuration. But even if you follow that, users on Mac are not getting IPA groups and without correct groups, ALCs are not working for those workstations.
Luiz
On 07/25/2017 10:36 AM, Grant Janssen wrote:
Luiz
Oh yes, I had this problem. But getting functionality on OS-X was not a simple matter. Do you have documentation on how you got there?
- grant
On Jul 24, 2017, at 14:16, Luiz Garrido ALKEMY X via FreeIPA-users freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org wrote:
Hi,
We have an environment with mixed OSX and CentOS computers and IPA is working great for almost everything.
The only problem that we have (besides the known ones) is that the IPA user logged to an OSX computer is not getting group information. Logged to a CentOS, the `id` command shows all the groups assigned to the user but running the same command on an OSX under the same user, the groups are different, mainly Apple groups and not our IPA groups. Does anyone had this problem?
So, because of this, ACL permissions on our NFS server is not working for OSX machines, but are working great for CentOS ones.
Thanks!
Luiz Garrido
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Grant Janssen -
Jason Sherrill -
Luiz Garrido ALKEMY X -
Michael Papet