On Fri, 2016-06-10 at 15:34 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: > > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > > > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > > > hi everyone > > > > > > > > > > there is a master IPA which in some weird way puts AD users > > > > > into > > > > > its ldap > > > > > catalog. I say weird cause there is no trust nor other sync > > > > > established, > > > > > there was a trust agreement, one way type, but now 'trust- > > > > > find' > > > > > shows > > > > > nothing, that trust was removed. > > > > > > > > > > but still when I create a user @AD DS a second later I see it > > > > > in > > > > > IPA's ldap, > > > > > eg. > > > > > > > > > > dn: [email protected],cn=users,cn=compat,dc=p > > > > > riva > > > > > te,dc=c > > > > > cnr,dc=aaa,dc=private,dc=dom > > > > > > > > > > how to trace the culprit config responsible for this? > > > > > > > > Check the DN, this is not the IPA tree (cn=account), but the > > > > compat > > > > tree > > > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > > > make the > > > > AD users available to non-SSSD clients that can only use LDAP > > > > as an > > > > interface. > > > > > > Yes. If you enabled slapi-nis on IPA master but didn't establish > > > actual > > > trust to AD and instead added an SSSD configuration to lookup AD > > > users > > > directly, then slapi-nis will happily ask SSSD for whatever users > > > with @ > > > in the name were requested by the LDAP clients and SSSD would > > > look > > > them > > > up in AD. > > but would entries from AD wound up in IPA's ldap? > > I'm poking around and still am puzzled, I believe I've enabled nis > > on a > > replica but it's not doing it there, those AD users are not in IPA > > replica ldap whereas they exist on the master. > They wouldn't be in LDAP tree. > > cn=compat is purely virtual and is not replicated. The tree is > populated > on demand and if your replica is configured differently to the master > w.r.t. AD trust or SSSD, you'll get different results. so it's a square one then, I forget IPA replicas for now, only master, while I'm looking at https://git.fedorahosted.org/cgit/slapi-nis.git/pl ain/doc/nis-getting-started.txt before I use ipa-compat-manage (to disable to test) - where in ldap config (or anywhere) it says this plugin is on & working so I can be sure? And flat configs for sssd & krb are virtually identical on both IPA master & replica, I just copied those manually to be sure, replica still has no AD users entries.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
