Hi All. We have IPA setup in an AD trust to support our Linux fleet. User home directories are mounted from a Netapp filer (nfs4 with krb5). The filer performs uid <-> uidNumber mapping required by kerberized nfs4 via IPA ldap server.
This setup was working well until we patched our RHEL8 IPA servers last week, specifically: 389-ds-base-1.4.3.23-14.module+el8.5.0+14377+c731dc97.x86_64 was updated to: 389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12.x86_64 and, ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 was updated to: ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64 This seems to have broken something in IPA, the Netapp filer is no longer able to resolve uid,uidNumber mappings for AD trust users (it still works for IPA users. Ad trust is still working, and IPA clients are able to resolve AD users through sssd, and log them in (only the home directories are not working). Directory server logs an entry like the following when the filer attempt lo look up an AD trust user: [21/Nov/2022:16:46:22.551318734 +1100] conn=14684 op=1 BIND dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain" method=128 version=3 [21/Nov/2022:16:46:22.552177201 +1100] conn=14684 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.000044925 optime=0.000864628 etime=0.000908138 dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain" [21/Nov/2022:16:46:22.554028669 +1100] conn=14684 op=2 SRCH base="dc=ipa,dc=localdomain" scope=2 filter= "(&(objectClass=posixAccount)(uid=username@localdomain))" <(&(objectClass=posixAccount)([email protected]))> attrs="uid uidNumber gidNumber userPassword gecos homeDirectory loginShell" [21/Nov/2022:16:46:22.554212462 +1100] conn=14684 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000072472 optime=0.000185686 etime=0.000256338 [21/Nov/2022:16:46:24.003556166 +1100] conn=14205 op=10 UNBIND Any pointers appreciated! Regards, Yanlish
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
