On Thu, Nov 14, 2019 at 10:10:20AM -0500, John Desantis wrote: > Jakub, > > > This is confusing because the enumerate word is overloaded :-) > > Ha! Agreed. > > > What is not supported and I guess won't be is "getent passwd" or "getent > > group" to get all objects from AD. > > I definitely agree with not being able to get all objects from AD via > `getent passwd` or `getent group`. > > > get AD members of an IPA group added through an external group, e.g. > > "getent group ipagroup" should show both its IPA and AD group members. > > This is exactly what I'm referring to. On the IPA masters (which have > their AD Trusts established), I can query an IPA group which has IPA > and external members via `getent group blah` and see both IPA and AD > users, as long as the following option is set within sssd.conf: > > ignore_group_members = FALSE > > But, on the IPA client nodes the only time that all group members will > be shown is if: > > 1.) The users have previously logged into the node in question; > 2.) The users have been queried via `id user` or `getent passwd user` > > Is the functionality in question only available for IPA masters?
It shouldn't be and I'm seeing the users also on a client. I don't remember if there was ever a bug in the client portion, I guess lookingat the logs would be the next step. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
