On Tue, 23 Sep 2014, Loris Santamaria wrote:
Querying for group membership in the compat tree within a trust
environment seems to be rather flaky:

     * userA and userB are members of admins@ad. admins@ad is member of
     * internet_access@ad is member of internet_access_external@ad
     * internet_access_external@ad is member of internet_access@ad
     * I restart ipa and clear sssd cache on the master to start with a
       clean compat tree
     * searching for (&(objectClass=posixGroup)(memberUid=userA@ad))
       returns that he is a member of internet_access@ipa (expected
     * searching for (&(objectClass=posixGroup)(memberUid=userB@ad))
       doesn't return him as a member of internet_access@ipa
slapi-nis doesn't fully support the latter case yet, it is known issue,
though in the https://fedorahosted.org/freeipa/ticket/4403 it is
manifested a bit differently.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to