Querying for group membership in the compat tree within a trust
environment seems to be rather flaky:

      * userA and userB are members of admins@ad. admins@ad is member of
      * internet_access@ad is member of internet_access_external@ad
      * internet_access_external@ad is member of internet_access@ad
      * I restart ipa and clear sssd cache on the master to start with a
        clean compat tree
      * searching for (&(objectClass=posixGroup)(memberUid=userA@ad))
        returns that he is a member of internet_access@ipa (expected
      * searching for (&(objectClass=posixGroup)(memberUid=userB@ad))
        doesn't return him as a member of internet_access@ipa

If I restart ipa and clean sssd cache on the master and query first for
userB he gets the correct memberships, queries for subsequent users
(userA, userC) won't show if they are members of ipa groups.

IPA version is 3.3.3-28.el7 on Centos 7, AD is Server 2008.

Should I file a bug?

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to