On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully. 2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Out of curiosity, why do you want to disable the fully qualified names?