Hi,
I have 2 rhel8 servers here: one acting as IPA server with a trust to
an AD domain that has posix attributes, the other one acting as ipa
client to the first one.
The packages installed on the client:
sssd-tools-2.0.0-43.el8_0.3.x86_64
sssd-common-2.0.0-43.el8_0.3.x86_64
libsss_sudo-2.0.0-43.el8_0.3.x86_64
sssd-ad-2.0.0-43.el8_0.3.x86_64
libsss_idmap-2.0.0-43.el8_0.3.x86_64
sssd-client-2.0.0-43.el8_0.3.x86_64
sssd-common-pac-2.0.0-43.el8_0.3.x86_64
sssd-ldap-2.0.0-43.el8_0.3.x86_64
sssd-2.0.0-43.el8_0.3.x86_64
python3-sss-murmur-2.0.0-43.el8_0.3.x86_64
python3-sss-2.0.0-43.el8_0.3.x86_64
sssd-nfs-idmap-2.0.0-43.el8_0.3.x86_64
libsss_nss_idmap-2.0.0-43.el8_0.3.x86_64
sssd-krb5-common-2.0.0-43.el8_0.3.x86_64
sssd-krb5-2.0.0-43.el8_0.3.x86_64
sssd-ipa-2.0.0-43.el8_0.3.x86_64
libsss_certmap-2.0.0-43.el8_0.3.x86_64
python3-sssdconfig-2.0.0-43.el8_0.3.noarch
libsss_autofs-2.0.0-43.el8_0.3.x86_64
sssd-proxy-2.0.0-43.el8_0.3.x86_64
sssd-kcm-2.0.0-43.el8_0.3.x86_64
The master config:
[domain/my.unix.domain]
id_provider = ipa
ipa_server_mode = True
ipa_server = ipaserver.my.unix.domain
ipa_domain = my.unix.domain
ipa_hostname = ipaserver.my.unix.domain.sys
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
#override_homedir = /home/%u
subdomain_homedir = /home/%u
debug_level = 10
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = my.unix.domain
debug_level = 10
The slave config:
[domain/my.unix.domain]
debug_level=10
id_provider = ipa
ipa_server = _srv_, ipaserver.my.unix.domain
ipa_domain = my.unix.domain
ipa_hostname = ipaserver.my.unix.domain
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
#subdomain_enumerate = all
[sssd]
services = nss, pam, ssh, sudo
domains = my.unix.domain
debug_level=10
Now on the master I can resolve all AD groups/users that have posix
attributes. But on the slave I have issues:
- it can't resolve users where the primary groupid doesn't exist (no
issue on the master, apparently some known limitiation ?). The reason
this is an issue seems to be that each user has his "own" private
group as primary group configured in AD (the primary gid is the same
as the uid). Anyway, I can work around this issue by defining the
needed groups in Identity Management I guess.
- I can't seem to get any group resolving to work. I don't expect to
see the group members (no enumeration), but on a slave "getent group
blabla(a)AD.DOMAIN" doesn't work at all, no AD groups are returned.
When I do the getent group command on the IPA client, I get this in
the logs on the IPA server:
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=blabla(a)ad.domain]
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides
in view [Default Trust View] with filter
[(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust
View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_done] (0x4000): No override found with filter
[(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=blabla)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=blabla(a)ad.domain))
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=blabla(a)AD.DOMAIN]
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@AD.DOMAIN@MY.UNIX.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@AD.DOMAIN@MY.UNIX.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))(objectClass=ipaIDObject))][cn=trusts,dc=my,dc=unix,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=blabla(a)AD.DOMAIN))
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sysdb_search_user_by_upn] (0x0400): No entry with upn
[blabla(a)AD.DOMAIN] found.
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x1][BE_REQ_USER][name=blabla(a)AD.DOMAIN]
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides
in view [Default Trust View] with filter
[(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust
View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_done] (0x4000): No override found with filter
[(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(userPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(userPrincipalName=blabla\\@AD.DOMAIN@AD.DOMAIN))(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=blabla(a)AD.DOMAIN))
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sysdb_search_user_by_upn] (0x0400): No entry with upn
[blabla(a)AD.DOMAIN] found.
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x2][BE_REQ_GROUP][name=blabla(a)ad.domain]
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides
in view [Default Trust View] with filter
[(&(objectClass=ipaGroupOverride)(cn=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaGroupOverride)(cn=blabla))][cn=Default Trust
View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[ipa_get_ad_override_done] (0x4000): No override found with filter
[(&(objectClass=ipaGroupOverride)(cn=blabla))].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=blabla)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=ad,dc=domain].
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_get_groups_process] (0x0400): Search for groups, returned 1
results.
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_has_deref_support_ex] (0x0400): The server supports deref method
ASQ
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_check_ad_group_type] (0x4000): AD group [] has type flags
0x80000002.
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_nested_group_hash_insert] (0x4000): Inserting
[CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN] into hash table [groups]
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_nested_group_process_send] (0x2000): About to process group
[CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN]
So it does search for the group (in the end), and finds it too; after
which it starts looking for each member in the group. In the end it
says this:
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_process_ghost_members] (0x0400): The group has 23 members
(Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]]
[sdap_process_ghost_members] (0x0400): Group has 23 members
But apparently some issues exist with those members, since all are
stored as "ghost members" and later on it returns no external members
for the group.
But the client returns the group to be unknown, not a group with 0
members.
If I set "ignore_group_members = true" on the IPA master, the client
shows the group as expected. So maybe it is also related to the first
issue of an unknown primary group for users (in this case members of
the group)?
Maybe someone can shed any light on this?
With friendly regards,
Franky