On Thu, Nov 14, 2019 at 10:10:20AM -0500, John Desantis wrote:
Jakub,
> This is confusing because the enumerate word is overloaded :-)
Ha! Agreed.
> What is not supported and I guess won't be is "getent passwd" or
"getent
> group" to get all objects from AD.
I definitely agree with not being able to get all objects from AD via
`getent passwd` or `getent group`.
> get AD members of an IPA group added through an external group, e.g.
> "getent group ipagroup" should show both its IPA and AD group members.
This is exactly what I'm referring to. On the IPA masters (which have
their AD Trusts established), I can query an IPA group which has IPA
and external members via `getent group blah` and see both IPA and AD
users, as long as the following option is set within sssd.conf:
ignore_group_members = FALSE
But, on the IPA client nodes the only time that all group members will
be shown is if:
1.) The users have previously logged into the node in question;
2.) The users have been queried via `id user` or `getent passwd user`
Is the functionality in question only available for IPA masters?
It shouldn't be and I'm seeing the users also on a client. I don't
remember if there was ever a bug in the client portion, I guess
lookingat the logs would be the next step.