Thanks Jakub and Justin,

It definitely is related to the wheel group. For a quick explanation, the
wheel group exists in AD with a gid of 10 so users who belong to that group
automatically have wheel/sudo perms on EL systems (we use posix attributes
in AD for all our users/groups).

The easy fix seems to have been to add a wheel group with gid 10 to the IPA
side, no group members. Now I get:
 uid=1587(steve.dain...@addomain.com) gid=1028(employ...@ipadomain.zone)
groups=1028(employ...@ipadomain.zone),10(wheel),1027(clus...@addomain.com
),1029(sys...@addomain.com),1041(confluence-administrat...@addomain.com
),1060(employees-vancou...@addomain.com),1086(dev...@addomain.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I got the idea from the RH IPA docs mentioning if a user has a primary
group in AD with a gid, the group must also exist in IPA albeit doesn't
need any members. If this step isn't completed some secondary group
memberships may not be resolved on the IPA side.

Its still a bit odd that the wheel group appears to be a client local wheel
group rather than @IPADOMAIN. The 'employees@IPADOMAIN' group listed above
is actually the primary gid in AD Unix attributes, and is defined in IPA
with the same gid but has no members. I'm guess this is because an EL host
/etc/group defines 'wheel' by default, but not 'employees'.

Once we get IPA into production I'll pull the wheel group out of AD and
keep it defined in IPA only.

Thanks,
Steve

On Thu, Oct 19, 2017 at 11:37 AM, Justin Stephenson via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On 10/19/2017 02:14 PM, Jakub Hrozek via FreeIPA-users wrote:
>
>> On Tue, Oct 17, 2017 at 02:21:07PM -0700, Steve Dainard via FreeIPA-users
>> wrote:
>>
>>> Hello,
>>>
>>> I've installed a 60 day 'self supported' trial of red hat idm on rhel7.
>>> I've created a cross-forest trust with an AD domain (2012R2) which
>>> already
>>> has posix attributes in ldap for users and groups.
>>>
>>> On my ipa server I can id/getent my AD user, and can SSH to the ipa
>>> server
>>> with my AD credentials/kerberos ticket.
>>> # id steve.dain...@addomain.com
>>> uid=1587(steve.dain...@addomain.com) gid=1028(employees)
>>> groups=1028(employees),1041(confluence-administrat...@addomain.com
>>> ),1060(employees-vancou...@addomain.com),10(wheel),1027(clus
>>> t...@addomain.com
>>> ),1086(dev...@addomain.com),1029(sys...@addomain.com)
>>>
>>> I installed Centos 7.4 and joined it to the realm but I'm having
>>> intermittent issues id'ing users. At first I couldn't id any AD user, but
>>> then I added a trusted domain ldap_search_base to the ipa servers
>>> sssd.conf:
>>>
>>> ldap_search_base = OU=Employees,OU=Users,OU=Accounts,DC=ADDOMAIN,DC=com
>>>
>>> This initially seemed to work intermittently, some users I could id and
>>> some I could not. I also noticed that the group membership of the users I
>>> could id was incomplete, notably I have an AD group 'wheel' with gid 10
>>> that shows on the ipa server side when I id my AD user, but didn't show
>>> on
>>> the client side.
>>>
>>> I decided to clear out the cache files manually and restart sssd on the
>>> client, and now I can't id my user, but I can id users outside of the
>>> ldap_search_base, specifically user accounts which are inactive and exist
>>> in a inactive-users OU ouside the ldap_search_base. Very confusing.
>>>
>>> The sssd server side seems to be iterating through all my AD users
>>> account
>>> names in the logs (debug_level = 10) and I don't feel comfortable posting
>>> logs with their complete names online..
>>>
>>>
>>> IPA server sssd.conf:
>>>
>>> [domain/IPADOMAIN.zone]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = IPADOMAIN.zone
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ipa_hostname = ipa001.IPADOMAIN.zone
>>> chpass_provider = ipa
>>> ipa_server = ipa001.IPADOMAIN.zone
>>> ipa_server_mode = True
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> debug_level = 10
>>>
>>> [sssd]
>>> services = sudo, nss, ifp, pam, ssh
>>> domains = IPADOMAIN.zone
>>> debug_level = 10
>>>
>>> [domain/IPADOMAIN.zone/ADDOMAIN.com]
>>> ldap_search_base = OU=Employees,OU=Users,OU=Accounts,DC=ADDOMAIN,DC=com
>>> debug_level = 10
>>>
>>> [nss]
>>> memcache_timeout = 600
>>> homedir_substring = /home
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>> [ifp]
>>>
>>> [secrets]
>>>
>>>
>>>
>>>
>>> IPA client ssd.conf:
>>>
>>> [domain/IPADOMAIN.zone]
>>> cache_credentials = true
>>> krb5_store_password_if_offline = true
>>> ipa_domain = IPADOMAIN.zone
>>> id_provider = ipa
>>> auth_provider = ipa
>>> ipa_hostname = pearl-pavella.IPADOMAIN.zone
>>> chpass_provider = ipa
>>> access_provider = ipa
>>> ipa_server = _srv_, ipa001.IPADOMAIN.zone
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> debug_level = 10
>>>
>>> [sssd]
>>> services = nss, pam, sudo, ssh
>>> domains = IPADOMAIN.zone
>>> default_domain_suffix = ADDOMAIN.com
>>> debug_level = 10
>>>
>>> [nss]
>>> homedir_substring = /home
>>> entry_negative_timeout = 1
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>>
>>> # id steve.dainard
>>> id: steve.dainard: no such user
>>>
>>> I've attached the client side sssd_ipadomain.zone.log file. Most
>>> interestingly I see my AD group memberships are at least listed in this
>>> log, but oddly the 'wheel' group is @ the ipadomain which should be the
>>> addomain. I don't have a wheel group on the ipa side, so this seems to be
>>> the groups list the ipa server resolved and it matches its local wheel
>>> group gid 10 which was passed along to the client:
>>>
>>
>> I think the local wheel group might be at least one the problems. The
>> piece that sends the group list to the client decides (based on how the
>> names are qualified, for now at least) which domain does the group
>> belong to. And since this is a local group, the output is not qualified,
>> which is then translated into the IPA domain on the client.
>>
>> But you also said, the wheel group should be in the AD domain, so I'm
>> not sure how does the AD group relate to the local wheel group after all?
>>
>
> I have seen similar issues which happen when very low POSIX gid numbers
> are assigned in AD causing a lookup conflict with local groups due to
> matching GID.
>
> I would suggest looking for any gidNumber=10 objects in AD and either
> change the gidNumber or remove the group membership from the affected user,
> it should be safe to avoid conflicts using id numbers greater than 1000.
>
> Kind regards,
> Justin Stephenson
>
>
>
>>
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): Received [7] groups in group list from
>>> IPA Server
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [employ...@addomain.com].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [dev...@addomain.com].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [employees-vancou...@addomain.com].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [wh...@ipadomain.zone].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [confluence-administrators@add
>>> omain.com].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [sys...@addomain.com].
>>> (Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
>>> [ipa_s2n_get_user_done] (0x0400): [clus...@addomain.com].
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to