On Wed, Jan 27, 2016 at 10:29:06PM +0100, Bolke de Bruin wrote: > > > Op 27 jan. 2016, om 22:25 heeft Jakub Hrozek <jhro...@redhat.com> het > > volgende geschreven: > > > > > >> On 27 Jan 2016, at 17:50, Bolke de Bruin <bdbr...@gmail.com> wrote: > >> > >>> > >>> Op 27 jan. 2016, om 17:46 heeft Jakub Hrozek <jhro...@redhat.com> het > >>> volgende geschreven: > >>> > >>> On Wed, Jan 27, 2016 at 05:42:02PM +0100, Bolke de Bruin wrote: > >>>> Hello, > >>>> > >>>> I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has > >>>> a trust relationship with a active directory domain. > >>>> > >>>> One of the systems we are using requires to enumerate all users in > >>>> groups by (unfortunate) design (Apache Ranger). This is done by using > >>>> “getent group”. During this enumeration the full user list for a group > >>>> that has a nested external member group* is not always returned so we > >>>> thought to > >>>> add “getent group mygroup” in order to get more details. Unfortunately > >>>> this does not seem to work consistently: sometimes this gives > >>>> information sometimes it does not: > >>>> > >>>> [root@master centos]# getent group ad_users > >>>> ad_users:*:1950000004: > >>>> > >>>> [root@master centos]# id bolke@ad.local > >>>> UID=1796201107(bolke@ad.local) GID=1796201107(bolke@ad.local) > >>>> groepen=1796201107(bolke@ad.local),1796200513(domain > >>>> users@ad.local),1796201108(test@ad.local) > >>>> > >>>> [root@master centos]# getent group ad_users > >>>> ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local> > >>>> > >>>> If I clear the cache (sss_cache -E) the entry is gone again: > >>>> > >>>> [root@master centos]# getent group ad_users > >>>> ad_users:*:1950000004: > >>>> > >>>> My question is how do I get sssd to enumerate *all users* in a group > >>>> consistently? > >>>> > >>>> Thanks! > >>>> Bolke > >>> > >>> ad_users is an IPA group that contains an IPA external group that > >>> contains the users, right? > >> > >> Correct. > >> > >>> > >>> If so, then you're hitting: > >>> https://fedorahosted.org/sssd/ticket/2522 > >>> I've been working on fixing this lately and have some patches, would you > >>> like to test them? > >> > >> Sure. I would prefer RPMs (this is on RHEL 6 and 7) but I can compile if > >> required. > >> > >> > > > > This issue must be fixed with sssd on the IPA server itself. Please send me > > your exact sssd version (rpm -q output) and I'll build you a test package > > tomorrow.. > > > > rpm -qa sssd* > sssd-common-pac-1.13.0-40.el7_2.1.x86_64 > sssd-krb5-1.13.0-40.el7_2.1.x86_64 > sssd-client-1.13.0-40.el7_2.1.x86_64 > sssd-krb5-common-1.13.0-40.el7_2.1.x86_64 > sssd-ipa-1.13.0-40.el7_2.1.x86_64 > sssd-ldap-1.13.0-40.el7_2.1.x86_64 > sssd-proxy-1.13.0-40.el7_2.1.x86_64 > sssd-common-1.13.0-40.el7_2.1.x86_64 > sssd-ad-1.13.0-40.el7_2.1.x86_64 > sssd-1.13.0-40.el7_2.1.x86_64 > > > To confirm: Is the idea behind your patches that it will enumerate users in > groups that have not logged before? Ie. I have no means to determine which > users are in a group on the sssd/ipa side.
Hello Bolke, please try these builds: https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-7.2-external-groups/ These do resolve the AD members via an IPA group for me: # rm -f /var/lib/sss/db/cache_ipa.test.ldb # systemctl start sssd.service # getent group l_idm_admin l_idm_admin:*:1190000005:administra...@win.trust.test,pku...@win.trust.test The groups are defined like this: # ipa group-show l_idm_admin Group name: l_idm_admin GID: 1190000005 Member groups: l_idm_admin_external # ipa group-show l_idm_admin_external Group name: l_idm_admin_external Member of groups: l_idm_admin External member: extgr...@win.trust.test, administra...@win.trust.test (So the code even crawls the AD group and unrolls the pkuser from there) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
