Sorry Sumit I missed your reply.
The quick answer is that we changed the name of the group and the literal group name was
RG-Ourcompany-Ops-3rd Party-Data#3-G.
It might appear that the \ was added in to sanitize the search by sssd.
Luckily we don't have other groups which use a # character in their name.
Just posted in case it was worthwhile hunting it down.
Craig Silva
_________
Craig Silva | Specialist Engineer – Unix Services – Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000
ph: 03-8688-1297 mob: 0429 365 609 |
www.cenitex.vic.gov.au
This office is located on the land of the Traditional Owners of the Kulin Nation.
Accountability, Collaboration, Respect, Initiative and Courage
-----Original Message-----
From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org]
Sent: Monday, 4 June 2018 5:15 PM
To: freeipa-users(a)lists.fedorahosted.org
Cc: Sumit Bose <sbose(a)redhat.com>
Subject: [Freeipa-users] Re: apparent error with ad_enum_cross_dom_members
On Mon, Jun 04, 2018 at 05:33:28AM +0000, Craig H Silva (Cenitex) via FreeIPA-users
wrote:
Background - stupidly large AD domain with 30,000 plus groups. It is
a forest with a number of legacy domains that are not relevant to our authentication on
Linux but the AD admins don't want to allow us to mess with their schema so we still
use group membership to manage sudo.
We're also attempting to align with Windows through use of nested groups to fit in
with enterprise preference for RBAC.
It's complicated and there's no resourcing to put in place an IPA service which
would help.
Anyway these are the relevant config elements:
id_provider = ad
auth_provider = ad
access_provider = ad
subdomains_provider = none
enumerate = true
ignore_group_members = true
cache_credentials = true
ldap_id_mapping = true
ldap_schema = ad
( I can provide full config if requested). We had gone to full enumeration and
ignore_group_members to ensure that the groups that provide sudo access are available
without ridiculous cpu utilisation and it was working but hit this apparent issue:
[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080):
Failed to add [CN=RG-Ourcompany-Ops-3rd
Party-Data\#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated Groups,OU=
Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]:
Input/output error
I guess this issue might be caused by the '\#3' part of the DN which is not
properly sanitized for a search.
Is the literal group name 'RG-Ourcompany-Ops-3rd Party-Data\#3-G'? I'm asking
to see if the '\' was already added to sanitize the original name.
Do you have other groups with similar name which do not trigger this error message?
bye,
Sumit
Can raise a bug report if it's clear that this is the issue.
Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.
Cheers
Craig Silva
_________
Craig Silva | Specialist Engineer - Unix Services - Servers, Storage
and IDAM Cenitex | Level 15, 80 Collins Street, Melbourne 3000
ph: 03-8688-1297 mob: 0429 365 609 |
www.cenitex.vic.gov.au<http://www.cenitex.vic.gov.au/>
This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]<http://www.cenitex.vic.gov.au/>
[cid:image004.jpg@01D36DDE.27450B80]
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_Cen...
[cid:image006.jpg@01D36DDE.27450B80]
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_cenitex&...
[cid:image010.jpg@01D36DDE.27450B80]
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_com...
Accountability, Collaboration, Respect, Initiative and Courage
----------------------------------------------------------------------
Notice:
This email and any attachments may contain information that is
personal, confidential, legally privileged and/or copyright. No part
of it should be reproduced, adapted or communicated without the prior
written consent of the copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by
return email, delete it from your system and destroy any copies. You
are not authorised to use, communicate or rely on the information contained in this
email.
Please consider the environment before printing this email.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_cod
e-2Dof-2Dconduct.html&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=T8mD0RvEsXMA
2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-pd16myTaKc_Kj
wqv8AZE&s=fsR16FKs1G__V_ogSKzm4pW6Yv9_A4kUFhkR_pTS23o&e=
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org
_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=
T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-p
d16myTaKc_Kjwqv8AZE&s=SlOb2dSxuB3iOIv6D9Y5zSNgaHL3xYxrUQZsJzkDcPQ&e=
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedoraproje
ct.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org_message_
2UT3LSZLQT6YHMVZVW6Q6YXTUQIK4C7U_&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=
T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-p
d16myTaKc_Kjwqv8AZE&s=mktGbX9EhLe88joOIlkA8InLwEmLsO-1zSw15ZUEqTk&e=
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedoraproject....
----------------------------------------------------------------------
Notice:
This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.