On pe, 16 elo 2019, Blake Dworaczyk via FreeIPA-users wrote:
I have an FreeIPA domain (
ipa.engr.tamu.edu) that has a one-way trust
with an AD domain (
engr.tamu.edu). I've created a POSIX group called
'linux_team' that contains an external group called 'linux_team_ext',
which itself contains the AD group linux_team(a)engr.tamu.edu (from the trusted domain).
When I perform a 'getent group linux_team', I get no results. When looking at the
debug logs, I see that SSSD does fetch all of the users from the group:
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-william.luke(a)engr.tam
u.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-andrew.eggleston@engr
.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-blake.dworaczyk@engr.
tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-david.miller(a)engr.tam
u.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-j.polasek(a)engr.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-matthew.mjelde(a)engr.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No
override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added
[coe-steve.herring(a)engr.tamu.edu] to [overridememberUid].
However, I ultimately see this line:
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [nss_get_grent] (0x0040): Incomplete group object
for linux_team(a)engr.tamu.edu[0]! Skipping
It is here:
(Fri Aug 16 16:09:32 2019) [sssd[be[ipa.engr.tamu.edu]]] [sdap_check_ad_group_type]
(0x4000): AD group [linux_team(a)engr.tamu.edu] has type flags 0x80000004.
Type 0x80000004 is a security domain local group.
SSSD filters domain local groups out over trust:
/* Only security groups from AD are considered for POSIX groups.
* Additionally only global and universal group are taken to account
* for trusted domains. */
if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
|| (IS_SUBDOMAIN(dom)
&& (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
|| (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
DEBUG(SSSDBG_TRACE_FUNC,
"Filtering AD group [%s].\n", group_name);
*_need_filter = true;
}
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland