On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
Out of curiosity, why do you want to disable the fully qualified names?
Simplicity. We're going to have all of the users in AD anyway, so it's just annoyingly long to have @ad.nwra.com added to everything.
I'm also trying to see if I can get away with something that allows NFSv4 to treat our existing LDAP users and the new AD users (with the same names) as identical, but that may be folly.