We have a large organization and a lot of groups so I've clipped the bits that don't apply and changed the names of the actual groups for the obvious reasons. groupb is a member of groupa, so everything appears to be working correctly on that front.
dn: uid=markp,cn=users,cn=accounts,dc=test,dc=example memberof: cn=groupb,cn=groups,cn=accounts,dc=text,dc=example memberof: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example On Tue, May 19, 2020 at 9:36 AM Rob Crittenden <rcrit...@redhat.com> wrote: > Alexander Bokovoy via FreeIPA-users wrote: > > On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote: > >> While I have seen similar posts to the list while digging through the > >> archive, I cannot find this question specifically answered. We are > coming > >> from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using > >> indirect > >> memberships to make this migration easier as we are moving from an > >> organically grown OpenLDAP to a very structured FreeIPA implementation. > >> What seems to be happening is that indirect memberships don't show using > >> the standard Linux tools. Using either "id" or "groups" doesn't show any > >> indirect memberships yet the permissions seem to still work properly. > >> This > >> is causing some confusion with our team. > >> > >> Group B is a member of Group A and the user is also a direct member of > >> groups C and D. When using "id" for a given user it returns B, C, D and > >> not A. However I can create a file owned by user root and group A with > >> 550 > >> permissions and the user can view the contents of the file. "ipa > >> user-show" > >> shows the proper memberships with A being an indirect membership. > >> > >> Is this the expected behavior when using indirect memberships? If so, > >> does > >> one abandon the standard CLI tool and use only ipa commands? I am fully > >> aware this could be a configuration issue but I have yet to find the > >> correct configuration to expose indirect membership to the standard > Linux > >> tools. > > > > Can you give more concrete logs and examples? Are all of those A, B, C, > > D groups > > are POSIX groups, e.g. they have gidNumber assigned? I don't need to see > > the whole entries for them but at least enough output of > > > > $ ipa group-show A --all --raw > > > > that shows 'member' for a user and indirect group membership, along with > > 'objectclass' list and gidNumber. Same for B, C, D groups. > > > > Please also use SSSD troubleshooting guide to generate debug logs that > show > > which groups the user actually belongs to during the request you did > > (like 'id ..'). > > > > https://sssd.github.io/docs/users/troubleshooting.html > > > > Right, indirect is something that IPA calculates for displaying entries > I doubt SSSD sees or cares about that. > > I created a user as you described with direct membership to B, C and D > and added B as a member of A. This is what the membership looks like in > LDAP: > > # ldapsearch -Y GSSAPI -LLL -b > uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof > SASL/GSSAPI authentication started > SASL username: ad...@example.test > SASL SSF: 256 > SASL data security layer installed. > dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test > memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test > memberof: cn=b,cn=groups,cn=accounts,dc=example,dc=test > memberof: cn=a,cn=groups,cn=accounts,dc=example,dc=test > memberof: cn=c,cn=groups,cn=accounts,dc=example,dc=test > memberof: cn=d,cn=groups,cn=accounts,dc=example,dc=test > > ipausers of course being a non-posix group. > > rob > > -- *Mark Potter* Senior Linux Administrator DownUnder GeoSolutions 16200 Park Row Drive, Suite 100 Houston TX 77084, USA tel +1 832 582 3221 ma...@dug.com www.dug.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
