While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are coming from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.
Group B is a member of Group A and the user is also a direct member of groups C and D. When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa user-show" shows the proper memberships with A being an indirect membership.
Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard Linux tools.
On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are coming from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.
Group B is a member of Group A and the user is also a direct member of groups C and D. When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa user-show" shows the proper memberships with A being an indirect membership.
Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard Linux tools.
Can you give more concrete logs and examples? Are all of those A, B, C, D groups are POSIX groups, e.g. they have gidNumber assigned? I don't need to see the whole entries for them but at least enough output of
$ ipa group-show A --all --raw
that shows 'member' for a user and indirect group membership, along with 'objectclass' list and gidNumber. Same for B, C, D groups.
Please also use SSSD troubleshooting guide to generate debug logs that show which groups the user actually belongs to during the request you did (like 'id ..').
https://sssd.github.io/docs/users/troubleshooting.html
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are coming from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.
Group B is a member of Group A and the user is also a direct member of groups C and D. When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa user-show" shows the proper memberships with A being an indirect membership.
Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard Linux tools.
Can you give more concrete logs and examples? Are all of those A, B, C, D groups are POSIX groups, e.g. they have gidNumber assigned? I don't need to see the whole entries for them but at least enough output of
$ ipa group-show A --all --raw
that shows 'member' for a user and indirect group membership, along with 'objectclass' list and gidNumber. Same for B, C, D groups.
Please also use SSSD troubleshooting guide to generate debug logs that show which groups the user actually belongs to during the request you did (like 'id ..').
Right, indirect is something that IPA calculates for displaying entries I doubt SSSD sees or cares about that.
I created a user as you described with direct membership to B, C and D and added B as a member of A. This is what the membership looks like in LDAP:
# ldapsearch -Y GSSAPI -LLL -b uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.TEST SASL SSF: 256 SASL data security layer installed. dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=b,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=a,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=c,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=d,cn=groups,cn=accounts,dc=example,dc=test
ipausers of course being a non-posix group.
rob
We have a large organization and a lot of groups so I've clipped the bits that don't apply and changed the names of the actual groups for the obvious reasons. groupb is a member of groupa, so everything appears to be working correctly on that front.
dn: uid=markp,cn=users,cn=accounts,dc=test,dc=example memberof: cn=groupb,cn=groups,cn=accounts,dc=text,dc=example memberof: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example
On Tue, May 19, 2020 at 9:36 AM Rob Crittenden rcritten@redhat.com wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are
coming
from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.
Group B is a member of Group A and the user is also a direct member of groups C and D. When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa user-show" shows the proper memberships with A being an indirect membership.
Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard
Linux
tools.
Can you give more concrete logs and examples? Are all of those A, B, C, D groups are POSIX groups, e.g. they have gidNumber assigned? I don't need to see the whole entries for them but at least enough output of
$ ipa group-show A --all --raw
that shows 'member' for a user and indirect group membership, along with 'objectclass' list and gidNumber. Same for B, C, D groups.
Please also use SSSD troubleshooting guide to generate debug logs that
show
which groups the user actually belongs to during the request you did (like 'id ..').
Right, indirect is something that IPA calculates for displaying entries I doubt SSSD sees or cares about that.
I created a user as you described with direct membership to B, C and D and added B as a member of A. This is what the membership looks like in LDAP:
# ldapsearch -Y GSSAPI -LLL -b uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.TEST SASL SSF: 256 SASL data security layer installed. dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=b,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=a,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=c,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=d,cn=groups,cn=accounts,dc=example,dc=test
ipausers of course being a non-posix group.
rob
Mark Potter via FreeIPA-users wrote:
We have a large organization and a lot of groups so I've clipped the bits that don't apply and changed the names of the actual groups for the obvious reasons. groupb is a member of groupa, so everything appears to be working correctly on that front.
dn: uid=markp,cn=users,cn=accounts,dc=test,dc=example memberof: cn=groupb,cn=groups,cn=accounts,dc=text,dc=example memberof: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example
Ok, that's good. I think the next step is the SSSD troubleshooting that Alexander suggested. The user entry seems to have the right information, perhaps the SSSD logs will be enlightening.
rob
On Tue, May 19, 2020 at 9:36 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alexander Bokovoy via FreeIPA-users wrote: > On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote: >> While I have seen similar posts to the list while digging through the >> archive, I cannot find this question specifically answered. We are coming >> from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using >> indirect >> memberships to make this migration easier as we are moving from an >> organically grown OpenLDAP to a very structured FreeIPA implementation. >> What seems to be happening is that indirect memberships don't show using >> the standard Linux tools. Using either "id" or "groups" doesn't show any >> indirect memberships yet the permissions seem to still work properly. >> This >> is causing some confusion with our team. >> >> Group B is a member of Group A and the user is also a direct member of >> groups C and D. When using "id" for a given user it returns B, C, D and >> not A. However I can create a file owned by user root and group A with >> 550 >> permissions and the user can view the contents of the file. "ipa >> user-show" >> shows the proper memberships with A being an indirect membership. >> >> Is this the expected behavior when using indirect memberships? If so, >> does >> one abandon the standard CLI tool and use only ipa commands? I am fully >> aware this could be a configuration issue but I have yet to find the >> correct configuration to expose indirect membership to the standard Linux >> tools. > > Can you give more concrete logs and examples? Are all of those A, B, C, > D groups > are POSIX groups, e.g. they have gidNumber assigned? I don't need to see > the whole entries for them but at least enough output of > > $ ipa group-show A --all --raw > > that shows 'member' for a user and indirect group membership, along with > 'objectclass' list and gidNumber. Same for B, C, D groups. > > Please also use SSSD troubleshooting guide to generate debug logs that show > which groups the user actually belongs to during the request you did > (like 'id ..'). > > https://sssd.github.io/docs/users/troubleshooting.html > Right, indirect is something that IPA calculates for displaying entries I doubt SSSD sees or cares about that. I created a user as you described with direct membership to B, C and D and added B as a member of A. This is what the membership looks like in LDAP: # ldapsearch -Y GSSAPI -LLL -b uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.TEST SASL SSF: 256 SASL data security layer installed. dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=b,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=a,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=c,cn=groups,cn=accounts,dc=example,dc=test memberof: cn=d,cn=groups,cn=accounts,dc=example,dc=test ipausers of course being a non-posix group. rob--
*Mark Potter*
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
markp@dug.com mailto:markp@dug.com
www.dug.com http://www.dug.com/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
All of the groups are posix groups, all have a gid assigned.
groupa gid: 2044 groupb gid: 2000
dn: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example cn: groupa gidnumber: 2044 member: cn=groupb,cn=groups,cn=accounts,dc=test,dc=example
dn: cn=groupb,cn=groups,cn=accounts,dc=test,dc=example cn: groupb gidnumber: 2000
So when I went to grab the logs for "id" it shows the proper groups as I would expect. I have literally changed nothing else. I did do an "sss_cache -E" and restart sssd yesterday so I have no idea why this is working now. I will test more and see if I can replicate the issue.
On Tue, May 19, 2020 at 9:28 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are coming from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using
indirect
memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.
Group B is a member of Group A and the user is also a direct member of groups C and D. When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa
user-show"
shows the proper memberships with A being an indirect membership.
Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard Linux tools.
Can you give more concrete logs and examples? Are all of those A, B, C, D groups are POSIX groups, e.g. they have gidNumber assigned? I don't need to see the whole entries for them but at least enough output of
$ ipa group-show A --all --raw
that shows 'member' for a user and indirect group membership, along with 'objectclass' list and gidNumber. Same for B, C, D groups.
Please also use SSSD troubleshooting guide to generate debug logs that show which groups the user actually belongs to during the request you did (like 'id ..').
https://sssd.github.io/docs/users/troubleshooting.html
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Mark Potter -
Rob Crittenden