Hi I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis plugin on RHEL7.2 than installed and configured ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option and than successfully established one-way trust with Win2008R2 domain (named ad.dlink)
After that following objects have been created in AD: groups: "linux [email protected]" "linux [email protected]" users: "[email protected]" - member of "linux [email protected]" "[email protected]" - member of both "linux [email protected]" and "linux [email protected]" groups On IPA side i created following groups and relations: external member -> external ipa group -> posix ipa group "linux [email protected]" -> "ad_la_ext" -> "ad_la" "linux [email protected]" -> "ad_lu_ext" -> "ad_lu" So "[email protected]" being logged in to ipa-client becomes a member of "ad_lu" posix group and "[email protected]" becomes a member of both "ad_la" and "ad_lu" groups That is working like intended for sssd1.9+ clients but not for legacy clients Steps for reproduce 1. Install RHEL5 (RHEL5.1 in my case but i tried another 5.x also) 2. Run ipa-advise config-redhat-nss-ldap on ipa trust-controller 3. login to RHEL5 as root and configure it with shell script obtained on step 2 4. reset compat ldap cache with issuing "systemctl restart dirsrv.target" on ipa-server (trust controller) 5. print user identities (or just login as user) on legacy client in following order: [email protected] than [email protected] [root@rhel51 ~]# id [email protected] uid=1777801107([email protected]) gid=1777801107([email protected]) groups=1777801107([email protected]),120000003(ad_lu),1777801104(linux [email protected]),1777800513(domain [email protected]) context=root:system_r:unconfined_t:SystemLow-SystemHigh [root@rhel51 ~]# id [email protected] uid=1777801108([email protected]) gid=1777801108([email protected]) groups=1777801108([email protected]),120000003(ad_lu),1777801104(linux [email protected]),1777800513(domain [email protected]) context=root:system_r:unconfined_t:SystemLow-SystemHigh As you can see "[email protected]" misses "ad_la" and "linux [email protected]" groups membership! Now reset compat ldap cache with "systemctl restart dirsrv.target" again and print identities on legacy client in opposite order: [email protected] than [email protected] [root@rhel51 ~]# id [email protected] uid=1777801108([email protected]) gid=1777801108([email protected]) groups=1777801108([email protected]),120000003(ad_lu),120000004(ad_la),1777801104(linux [email protected]),1777801105(linux [email protected]),1777800513(domain [email protected]) context=root:system_r:unconfined_t:SystemLow-SystemHigh [root@rhel51 ~]# id [email protected] uid=1777801107([email protected]) gid=1777801107([email protected]) groups=1777801107([email protected]),120000003(ad_lu),1777801104(linux [email protected]),1777800513(domain [email protected]) context=root:system_r:unconfined_t:SystemLow-SystemHigh Voila, "[email protected]" is a "ad_la" and "linux [email protected]" groups member now! So it seems external member -> posix ipa group relations are cached for first user logged (or issued id command) into legacy client after compat-cache reset and these relations are not updated on other user login Also its interesting that 2 objects with the same dn but different objectClass, memberUid and ipaAnchorUUID can be found in compat ldap after first login or executing of id [root@idm1 ~]# ldapsearch -Wx -D "cn=Directory manager" -b "cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ad_lu, groups, compat, ipa.dlink dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink objectClass: ipaOverrideTarget objectClass: posixGroup objectClass: top gidNumber: 120000003 memberUid: [email protected] memberUid: [email protected] memberUid: [email protected] memberUid: [email protected] memberUid: admin memberUid: [email protected] memberUid: [email protected] memberUid: [email protected] memberUid: [email protected] ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yNjgxMjU4MTQxLTE0MzYzMzM2NTUtOTY0MTEzOTI0LT EwMDM= cn: ad_lu # ad_lu, groups, compat, ipa.dlink dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink ipaAnchorUUID:: OklQQTppcGEuZGxpbms6ZGJhZDgyNDgtZDMxOS0xMWU1LTk0MTAtMDgwMDI3Yj E3NmNk gidNumber: 120000003 memberUid: admin objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: top cn: ad_lu # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 P.S. I use CA-less setup with external DNS servers -- Vladimir Kondratyev -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
