We have a large organization and a lot of groups so I've clipped
the
bits that don't apply and changed the names of the actual groups for the
obvious reasons. groupb is a member of groupa, so everything appears to
be working correctly on that front.
dn: uid=markp,cn=users,cn=accounts,dc=test,dc=example
memberof: cn=groupb,cn=groups,cn=accounts,dc=text,dc=example
memberof: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example
Ok, that's good. I think the next step is the SSSD troubleshooting that
Alexander suggested. The user entry seems to have the right information,
perhaps the SSSD logs will be enlightening.
rob
On Tue, May 19, 2020 at 9:36 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Alexander Bokovoy via FreeIPA-users wrote:
> On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
>> While I have seen similar posts to the list while digging through the
>> archive, I cannot find this question specifically answered. We
are coming
>> from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using
>> indirect
>> memberships to make this migration easier as we are moving from an
>> organically grown OpenLDAP to a very structured FreeIPA
implementation.
>> What seems to be happening is that indirect memberships don't
show using
>> the standard Linux tools. Using either "id" or "groups"
doesn't
show any
>> indirect memberships yet the permissions seem to still work properly.
>> This
>> is causing some confusion with our team.
>>
>> Group B is a member of Group A and the user is also a direct
member of
>> groups C and D. When using "id" for a given user it returns B,
C, D and
>> not A. However I can create a file owned by user root and group A
with
>> 550
>> permissions and the user can view the contents of the file. "ipa
>> user-show"
>> shows the proper memberships with A being an indirect membership.
>>
>> Is this the expected behavior when using indirect memberships? If so,
>> does
>> one abandon the standard CLI tool and use only ipa commands? I am
fully
>> aware this could be a configuration issue but I have yet to find the
>> correct configuration to expose indirect membership to the
standard Linux
>> tools.
>
> Can you give more concrete logs and examples? Are all of those A,
B, C,
> D groups
> are POSIX groups, e.g. they have gidNumber assigned? I don't need
to see
> the whole entries for them but at least enough output of
>
> $ ipa group-show A --all --raw
>
> that shows 'member' for a user and indirect group membership,
along with
> 'objectclass' list and gidNumber. Same for B, C, D groups.
>
> Please also use SSSD troubleshooting guide to generate debug logs
that show
> which groups the user actually belongs to during the request you did
> (like 'id ..').
>
>
https://sssd.github.io/docs/users/troubleshooting.html
>
Right, indirect is something that IPA calculates for displaying entries
I doubt SSSD sees or cares about that.
I created a user as you described with direct membership to B, C and D
and added B as a member of A. This is what the membership looks like in
LDAP:
# ldapsearch -Y GSSAPI -LLL -b
uid=tuser1,cn=users,cn=accounts,dc=example,dc=test memberof
SASL/GSSAPI authentication started
SASL username: admin(a)EXAMPLE.TEST
SASL SSF: 256
SASL data security layer installed.
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test
memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
memberof: cn=b,cn=groups,cn=accounts,dc=example,dc=test
memberof: cn=a,cn=groups,cn=accounts,dc=example,dc=test
memberof: cn=c,cn=groups,cn=accounts,dc=example,dc=test
memberof: cn=d,cn=groups,cn=accounts,dc=example,dc=test
ipausers of course being a non-posix group.
rob
--
*Mark Potter*
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
markp(a)dug.com <mailto:markp@dug.com>
www.dug.com <
http://www.dug.com/>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...