Hi
I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis plugin on
RHEL7.2 than installed and configured
ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option and than
successfully established one-way trust with Win2008R2 domain (named ad.dlink)
After that following objects have been created in AD:
groups:
"linux admins@ad.dlink"
"linux users@ad.dlink"
users:
"user2@ad.dlink" - member of "linux users@ad.dlink"
"user3@ad.dlink" - member of both "linux users@ad.dlink" and "linux
admins@ad.dlink" groups
On IPA side i created following groups and relations:
external member -> external ipa group -> posix ipa group
"linux admins@ad.dlink" -> "ad_la_ext" -> "ad_la"
"linux users@ad.dlink" -> "ad_lu_ext" -> "ad_lu"
So "user2@ad.dlink" being logged in to ipa-client becomes a member of "ad_lu"
posix group and "user3@ad.dlink" becomes a member of both "ad_la" and "ad_lu"
groups
That is working like intended for sssd1.9+ clients but not for legacy clients
Steps for reproduce
1. Install RHEL5 (RHEL5.1 in my case but i tried another 5.x also)
2. Run ipa-advise config-redhat-nss-ldap on ipa trust-controller
3. login to RHEL5 as root and configure it with shell script obtained on step 2
4. reset compat ldap cache with issuing "systemctl restart dirsrv.target" on
ipa-server (trust controller)
5. print user identities (or just login as user) on legacy client in following
order: user2@ad.dlink than user3@ad.dlink
[root@rhel51 ~]# id user2@ad.dlink
uid=1777801107(user2@ad.dlink) gid=1777801107(user2@ad.dlink)
groups=1777801107(user2@ad.dlink),12003(ad_lu),1777801104(linux
users@ad.dlink),1777800513(domain users@ad.dlink)
context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root@rhel51 ~]# id user3@ad.dlink
uid=1777801108(user3@ad.dlink) gid=1777801108(user3@ad.dlink)
groups=1777801108(user3@ad.dlink),12003(ad_lu),1777801104(linux
users@ad.dlink),1777800513(domain users@ad.dlink)
context=root:system_r:unconfined_t:SystemLow-SystemHigh
As you can see "user3@ad.dlink" misses "ad_la" and "linux admins@ad.dlink"
groups membership!
Now reset compat ldap cache with "systemctl restart dirsrv.target" again and
print identities on legacy client in opposite order: user3@ad.dlink than
user2@ad.dlink
[root@rhel51 ~]# id user3@ad.dlink
uid=1777801108(user3@ad.dlink) gid=1777801108(user3@ad.dlink)
groups=1777801108(user3@ad.dlink),12003(ad_lu),12004(ad_la),1777801104(linux
users@ad.dlink),1777801105(linux admins@ad.dlink),1777800513(domain
users@ad.dlink) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root@rhel51 ~]# id user2@ad.dlink
uid=1777801107(user2@ad.dlink) gid=1777801107(user2@ad.dlink)
groups=1777801107(user2@ad.dlink),12003(ad_lu),1777801104(linux
users@ad.dlink),1777800513(domain users@ad.dlink)
context=root:system_r:unconfined_t:SystemLow-SystemHigh
Voila, "user3@ad.dlink" is a "ad_la" and "linux admins@ad.dlink" groups member
now!
So it seems external member -> posix ipa group relations are cached for first
user logged (or issued id command) into legacy client after compat-cache reset
and these relations are not updated on other user login
Also its interesting that 2 objects with the same dn but different objectClass,
memberUid and ipaAnchorUUID can be found in compat ldap after first login or
executing of id
[root@idm1 ~]# ldapsearch -Wx -D "cn=Directory manager" -b
"cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ad_lu, groups, compat, ipa.dlink
dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: top
gidNumber: 12003
memberUid: us...@child.ad.dlink
memberUid: us...@child.ad.dlink
memberUid: us...@child.ad.dlink
memberUid: us...@child.ad.dlink
memberUid: admin
memberUid: user4@ad.dlink
memberUid: us...@child.ad.dlink
memberUid: user2@ad.dlink
memberUid: user3@ad.dlink
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yNjgxMjU4MTQxLTE0MzYzMzM2NTUtOTY0MTEzOTI0LT
EwMDM=
cn: ad_lu
# ad_lu, groups, compat, ipa.dlink
dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink
ipaAnchorUUID:: OklQQTppcGEuZGxpbms6ZGJhZDgyNDgtZDMxOS0xMWU1LTk0MTAtMDgwMDI3Yj
E3NmNk
gidNumber: 12003
memberUid: admin
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
cn: ad_lu
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
P.S. I use CA-less setup with external DNS servers
--
Vladimir Kondratyev
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
