Red Hat Bugzilla – Bug 1301901
[RFE] compat tree: show AD members of IPA groups
Last modified: 2016-11-04 01:50:45 EDT
+++ This bug was initially created as a clone of Bug #1138797 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4403 Currently in an environment with trust to AD the compat tree does not show AD users as members of IPA groups. The reason is that IPA groups are read directly from the IPA DS tree and external groups are not handled.
This RFE is about an update to slapi-nis configuration, managed by IdM Server.
Alexander would provide the slapi-nis configuration update, as required by Bug 1138797.
Created attachment 1129855 [details] Upstream patch Fixed upstream, but the patch was not pushed yet: https://www.redhat.com/archives/freeipa-devel/2016-February/msg00163.html
Sorry, Jan, but for the purpose of this release please use slapi-nis >= 0.54-7.
No need to apologize, I already know that. The attached patch is the upstream patch, as the description says.
Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/eb187e9a26d9baf597f7e5230c01c0084685e061 https://fedorahosted.org/freeipa/changeset/5e2c6b0f630300e20c11595e67c61e7eb3982aae master: https://fedorahosted.org/freeipa/changeset/1353847e49a1cde078bb9b432cc43959b7a3ce46 https://fedorahosted.org/freeipa/changeset/271086ebdd10b2229534220d830d1cbd5af6a352 ipa-4-2: https://fedorahosted.org/freeipa/changeset/fea62ea71ec9a614f17888f26f67bd2bca425532 https://fedorahosted.org/freeipa/changeset/dbea05e1578e2d6d80940f1d4289ecd98a0593ab
Verified [root@host108 ~]# rpm -qa ipa-server sssd ipa-server-4.4.0-7.el7.x86_64 sssd-1.14.0-18.el7.x86_64 1.Created Global Security Group added members from parent domain. [root@host108 ~]# getent group adgroup1@ipaad2008r2.test adgroup1@ipaad2008r2.test:*:175001105:aduser1@ipaad2008r2.test,aduser2@ipaad2008r2.test 2. Created Universal Security Group and added members from parent [root@host108 ~]# getent group adunigroup1@ipaad2008r2.test adunigroup1@ipaad2008r2.test:*:175001107:aduser1@ipaad2008r2.test,aduser3@ipaad2008r2.test,aduser1@ipasub2008r2-1.ipaad2008r2.test 3. Created Global Security Group added members from child domain. [root@host108 ~]# getent group adgroup2@ipasub2008r2-1.ipaad2008r2.test adgroup2@ipasub2008r2-1.ipaad2008r2.test:*:1393601108:aduser1@ipasub2008r2-1.ipaad2008r2.test,aduser0@ipasub2008r2-1.ipaad2008r2.test 4. Created Universal Security Group and added members from child domain. [root@host108 ~]# getent group adunigroup2@ipasub2008r2-1.ipaad2008r2.test adunigroup2@ipasub2008r2-1.ipaad2008r2.test:*:1393603033:aduser0@ipasub2008r2-1.ipaad2008r2.test,aduser2@ipasub2008r2-1.ipaad2008r2.test,aduser3@ipaad2008r2.test 5. After removing user from group, found that getent group is also updated. a)After removing aduser1@ipasub2008r2-1.ipaad2008r2.test from adunigroup1@ipaad2008r2.test group [root@host108 ~]# getent group adunigroup1@ipaad2008r2.test adunigroup1@ipaad2008r2.test:*:175001107:aduser1@ipaad2008r2.test,aduser3@ipaad2008r2.test b)After removing aduser3@ipaad2008r2.test from adunigroup2@ipasub2008r2-1.ipaad2008r2.test group [root@host108 ~]# getent group adunigroup2@ipasub2008r2-1.ipaad2008r2.test adunigroup2@ipasub2008r2-1.ipaad2008r2.test:*:1393603033:aduser0@ipasub2008r2-1.ipaad2008r2.test,aduser2@ipasub2008r2-1.ipaad2008r2.test [root@host108 ~]# 6. External Group [root@host108 ~]# ipa group-add --external ext_ad_administrators --desc "IPAAD2008R2.TEST\Administrators" ----------------------------------- Added group "ext_ad_administrators" ----------------------------------- Group name: ext_ad_administrators Description: IPAAD2008R2.TEST\Administrators [root@host108 ~]# ipa group-add-member ext_ad_administrators --external "IPAAD2008R2\Domain Admins" [member user]: [member group]: Group name: ext_ad_administrators Description: IPAAD2008R2.TEST\Administrators External member: S-1-5-21-1765444267-4284514389-3232425237-512 ------------------------- Number of members added 1 ------------------------- [root@host108 ~]# ipa group-add ad_administrators ------------------------------- Added group "ad_administrators" ------------------------------- Group name: ad_administrators GID: 1657800007 [root@host108 ~]# ipa group-add-member ad_administrators --group ext_ad_administrators Group name: ad_administrators GID: 1657800007 Member groups: ext_ad_administrators ------------------------- Number of members added 1 ------------------------- [root@host108 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@host108 ~]# getent group ad_administrators ad_administrators:*:1657800007:administrator@ipaad2008r2.test
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html