On Sun, Feb 17, 2013 at 03:23:22PM -0500, Dmitri Pal wrote:

> 1) What versions you have?

Running RHEL 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64) and various
RHEL4, 5, 6 clients.

> 2) Do you need enumeration to be turned on?
> We recommend it off unless very specific use cases.

Maybe not. Am just used to having it on with the previous LDAP backend.
Turned it off now, and that hides the problem, as now getent group
$groupname lists no member :-)

> 
> 3) Can you turn on debug level on SSSD to 9 and search debug logs
> /var/log/sssd and see what happens to this group?
> I suspect it is either bug that might have been fixed or the group is
> filtered for some reason.

Whoha.. loglevel=9 gave quite a bit of output. This one looks
interesting:

        (Sun Feb 17 21:40:07 2013) [sssd[be[IPALDAP]]] [sdap_fill_memberships] 
(7):     member #2 (uid=emilb,cn=users,cn=accounts,dc=example,dc=net): not 
found!

But why it can't find him I don't understand:

[root@ldapm1 sssd]# ldapsearch -x -h ipa1.example.net -b 
uid=emilb,cn=users,cn=accounts,dc=example,dc=net
# extended LDIF
#
# LDAPv3
# base <uid=emilb,cn=users,cn=accounts,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# emilb, users, accounts, example.net
dn: uid=emilb,cn=users,cn=accounts,dc=example,dc=net
krbLoginFailedCount: 1
krbLastFailedAuth: 20130217201648Z
cn: emilb
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: organizationalperson
objectClass: top
objectClass: inetorgperson
objectClass: person
objectClass: inetuser
objectClass: krbprincipalaux
objectClass: posixgroup
objectClass: posixaccount
loginShell: /bin/bash
uidNumber: 15567
gidNumber: 15567
gecos:: RW1pbCBCb3N0csO2bQ==
sn:: Qm9zdHLDtm0=
homeDirectory: /home/emilb
mail: emil.bost...@example.no
krbPrincipalName: em...@example.net
givenName: Emil
uid: emilb
ipaUniqueID: b340ce78-784a-11e2-9ee1-525400b94ff0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This user was migrated saturday, using:

        ipa migrate-ds --user-ignore-objectclass=ldapPublic Key 
--user-ignore-attribute=sshPublicKey --user-container=ou=People --group-cont 
ou=Groups ldap://sim1.example.net:389   --with-compat

I don't know what --with-compat does, but it migrate-ds seemed to require it 
this time. Earlier migrations hasn't needed it..


  -jf

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to