Hi,


On Thu, Sep 1, 2022 at 4:59 PM Master Blaster via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Howdy,

We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration.

The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider.

In addition, the problem only affects AD accounts, not native IDM accounts.

The issue manifests itself as either failed logins or the 'id' command returning user unknown.

All of our IDM servers are RHEL 8.  Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue.

We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue.

Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs.  We have 80K + users in our AD  (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix).  However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc)

If the trust is established with a ipa-ad-trust-posix range type, any AD user who wants to login on IdM side needs to have a uid, and all his groups also need to have a gid. If it's not possible to add these attributes on AD side, you can also create idoverride on IdM and override the uid or the gid. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-id-views-for-active-directory-users_managing-users-groups-hosts

flo


Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned.

I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix.

Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how?

Thank you...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue