On Tue, 23 Sep 2014, Loris Santamaria wrote:
Querying for group membership in the compat tree within a trust environment seems to be rather flaky:* userA and userB are members of admins@ad. admins@ad is member of internet_access@ad * internet_access@ad is member of internet_access_external@ad * internet_access_external@ad is member of internet_access@ad * I restart ipa and clear sssd cache on the master to start with a clean compat tree * searching for (&(objectClass=posixGroup)(memberUid=userA@ad)) returns that he is a member of internet_access@ipa (expected result) * searching for (&(objectClass=posixGroup)(memberUid=userB@ad)) doesn't return him as a member of internet_access@ipa (unexpected)
slapi-nis doesn't fully support the latter case yet, it is known issue, though in the https://fedorahosted.org/freeipa/ticket/4403 it is manifested a bit differently. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
