Bug 1301901
| Summary: | [RFE] compat tree: show AD members of IPA groups | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | ||||
| Component: | ipa | Assignee: | Alexander Bokovoy <abokovoy> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.3 | CC: | abokovoy, bobby.prins, dpal, ekeck, enewland, jbaird, jcholast, ksiddiqu, mkosek, mvarun, nsoman, pvoborni, rcritten, wdh | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.2.0-16.el7 | Doc Type: | Enhancement | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | 1138797 | ||||||
| : | 1311502 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-11-04 05:50:45 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1138797 | ||||||
| Bug Blocks: | 1298288, 1311502 | ||||||
| Attachments: |
|
||||||
|
Description
Martin Kosek
2016-01-26 10:14:58 UTC
This RFE is about an update to slapi-nis configuration, managed by IdM Server. Alexander would provide the slapi-nis configuration update, as required by Bug 1138797. Created attachment 1129855 [details] Upstream patch Fixed upstream, but the patch was not pushed yet: https://www.redhat.com/archives/freeipa-devel/2016-February/msg00163.html Sorry, Jan, but for the purpose of this release please use slapi-nis >= 0.54-7. No need to apologize, I already know that. The attached patch is the upstream patch, as the description says. Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/eb187e9a26d9baf597f7e5230c01c0084685e061 https://fedorahosted.org/freeipa/changeset/5e2c6b0f630300e20c11595e67c61e7eb3982aae master: https://fedorahosted.org/freeipa/changeset/1353847e49a1cde078bb9b432cc43959b7a3ce46 https://fedorahosted.org/freeipa/changeset/271086ebdd10b2229534220d830d1cbd5af6a352 ipa-4-2: https://fedorahosted.org/freeipa/changeset/fea62ea71ec9a614f17888f26f67bd2bca425532 https://fedorahosted.org/freeipa/changeset/dbea05e1578e2d6d80940f1d4289ecd98a0593ab Verified
[root@host108 ~]# rpm -qa ipa-server sssd
ipa-server-4.4.0-7.el7.x86_64
sssd-1.14.0-18.el7.x86_64
1.Created Global Security Group added members from parent domain.
[root@host108 ~]# getent group adgroup1
adgroup1:*:175001105:aduser1,aduser2
2. Created Universal Security Group and added members from parent
[root@host108 ~]# getent group adunigroup1
adunigroup1:*:175001107:aduser1,aduser3,aduser1.test
3. Created Global Security Group added members from child domain.
[root@host108 ~]# getent group adgroup2.test
adgroup2.test:*:1393601108:aduser1.test,aduser0.test
4. Created Universal Security Group and added members from child domain.
[root@host108 ~]# getent group adunigroup2.test
adunigroup2.test:*:1393603033:aduser0.test,aduser2.test,aduser3
5. After removing user from group, found that getent group is also updated.
a)After removing aduser1.test from adunigroup1 group
[root@host108 ~]# getent group adunigroup1
adunigroup1:*:175001107:aduser1,aduser3
b)After removing aduser3 from adunigroup2.test group
[root@host108 ~]# getent group adunigroup2.test
adunigroup2.test:*:1393603033:aduser0.test,aduser2.test
[root@host108 ~]#
6. External Group
[root@host108 ~]# ipa group-add --external ext_ad_administrators --desc "IPAAD2008R2.TEST\Administrators"
-----------------------------------
Added group "ext_ad_administrators"
-----------------------------------
Group name: ext_ad_administrators
Description: IPAAD2008R2.TEST\Administrators
[root@host108 ~]# ipa group-add-member ext_ad_administrators --external "IPAAD2008R2\Domain Admins"
[member user]:
[member group]:
Group name: ext_ad_administrators
Description: IPAAD2008R2.TEST\Administrators
External member: S-1-5-21-1765444267-4284514389-3232425237-512
-------------------------
Number of members added 1
-------------------------
[root@host108 ~]# ipa group-add ad_administrators
-------------------------------
Added group "ad_administrators"
-------------------------------
Group name: ad_administrators
GID: 1657800007
[root@host108 ~]# ipa group-add-member ad_administrators --group ext_ad_administrators
Group name: ad_administrators
GID: 1657800007
Member groups: ext_ad_administrators
-------------------------
Number of members added 1
-------------------------
[root@host108 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@host108 ~]# getent group ad_administrators
ad_administrators:*:1657800007:administrator
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |