Hi, I have 2 rhel8 servers here: one acting as IPA server with a trust to an AD domain that has posix attributes, the other one acting as ipa client to the first one. The packages installed on the client:
sssd-tools-2.0.0-43.el8_0.3.x86_64 sssd-common-2.0.0-43.el8_0.3.x86_64 libsss_sudo-2.0.0-43.el8_0.3.x86_64 sssd-ad-2.0.0-43.el8_0.3.x86_64 libsss_idmap-2.0.0-43.el8_0.3.x86_64 sssd-client-2.0.0-43.el8_0.3.x86_64 sssd-common-pac-2.0.0-43.el8_0.3.x86_64 sssd-ldap-2.0.0-43.el8_0.3.x86_64 sssd-2.0.0-43.el8_0.3.x86_64 python3-sss-murmur-2.0.0-43.el8_0.3.x86_64 python3-sss-2.0.0-43.el8_0.3.x86_64 sssd-nfs-idmap-2.0.0-43.el8_0.3.x86_64 libsss_nss_idmap-2.0.0-43.el8_0.3.x86_64 sssd-krb5-common-2.0.0-43.el8_0.3.x86_64 sssd-krb5-2.0.0-43.el8_0.3.x86_64 sssd-ipa-2.0.0-43.el8_0.3.x86_64 libsss_certmap-2.0.0-43.el8_0.3.x86_64 python3-sssdconfig-2.0.0-43.el8_0.3.noarch libsss_autofs-2.0.0-43.el8_0.3.x86_64 sssd-proxy-2.0.0-43.el8_0.3.x86_64 sssd-kcm-2.0.0-43.el8_0.3.x86_64 The master config: [domain/my.unix.domain] id_provider = ipa ipa_server_mode = True ipa_server = ipaserver.my.unix.domain ipa_domain = my.unix.domain ipa_hostname = ipaserver.my.unix.domain.sys auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True #override_homedir = /home/%u subdomain_homedir = /home/%u debug_level = 10 [sssd] services = nss, pam, ifp, ssh, sudo domains = my.unix.domain debug_level = 10 The slave config: [domain/my.unix.domain] debug_level=10 id_provider = ipa ipa_server = _srv_, ipaserver.my.unix.domain ipa_domain = my.unix.domain ipa_hostname = ipaserver.my.unix.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True #subdomain_enumerate = all [sssd] services = nss, pam, ssh, sudo domains = my.unix.domain debug_level=10 Now on the master I can resolve all AD groups/users that have posix attributes. But on the slave I have issues: - it can't resolve users where the primary groupid doesn't exist (no issue on the master, apparently some known limitiation ?). The reason this is an issue seems to be that each user has his "own" private group as primary group configured in AD (the primary gid is the same as the uid). Anyway, I can work around this issue by defining the needed groups in Identity Management I guess. - I can't seem to get any group resolving to work. I don't expect to see the group members (no enumeration), but on a slave "getent group blabla@AD.DOMAIN" doesn't work at all, no AD groups are returned. When I do the getent group command on the IPA client, I get this in the logs on the IPA server: (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@ad.domain] (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=blabla)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@ad.domain)) (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@AD.DOMAIN] (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@ad.dom...@my.unix.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=my,dc=unix,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@ad.dom...@my.unix.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))(objectClass=ipaIDObject))][cn=trusts,dc=my,dc=unix,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@AD.DOMAIN)) (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [blabla@AD.DOMAIN] found. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@AD.DOMAIN] (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(userPrincipalName=blabla\\@AD.DOMAIN@AD.DOMAIN))(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@AD.DOMAIN)) (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [blabla@AD.DOMAIN] found. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=blabla@ad.domain] (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaGroupOverride)(cn=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaGroupOverride)(cn=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaGroupOverride)(cn=blabla))]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=blabla)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=ad,dc=domain]. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_has_deref_support_ex] (0x0400): The server supports deref method ASQ (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_check_ad_group_type] (0x4000): AD group [] has type flags 0x80000002. (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_nested_group_hash_insert] (0x4000): Inserting [CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN] into hash table [groups] (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN] So it does search for the group (in the end), and finds it too; after which it starts looking for each member in the group. In the end it says this: (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_process_ghost_members] (0x0400): The group has 23 members (Mon Dec 2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_process_ghost_members] (0x0400): Group has 23 members But apparently some issues exist with those members, since all are stored as "ghost members" and later on it returns no external members for the group. But the client returns the group to be unknown, not a group with 0 members. If I set "ignore_group_members = true" on the IPA master, the client shows the group as expected. So maybe it is also related to the first issue of an unknown primary group for users (in this case members of the group)? Maybe someone can shed any light on this? With friendly regards, Franky
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org