On 27 Jan 2016, at 17:50, Bolke de Bruin <bdbruin(a)gmail.com>
wrote:
>
> Op 27 jan. 2016, om 17:46 heeft Jakub Hrozek <jhrozek(a)redhat.com> het volgende
geschreven:
>
> On Wed, Jan 27, 2016 at 05:42:02PM +0100, Bolke de Bruin wrote:
>> Hello,
>>
>> I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust
relationship with a active directory domain.
>>
>> One of the systems we are using requires to enumerate all users in groups by
(unfortunate) design (Apache Ranger). This is done by using
>> “getent group”. During this enumeration the full user list for a group that has a
nested external member group* is not always returned so we thought to
>> add “getent group mygroup” in order to get more details. Unfortunately this does
not seem to work consistently: sometimes this gives information sometimes it does not:
>>
>> [root@master centos]# getent group ad_users
>> ad_users:*:1950000004:
>>
>> [root@master centos]# id bolke(a)ad.local
>> UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local)
groepen=1796201107(bolke(a)ad.local),1796200513(domain
users@ad.local),1796201108(test(a)ad.local)
>>
>> [root@master centos]# getent group ad_users
>> ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
>>
>> If I clear the cache (sss_cache -E) the entry is gone again:
>>
>> [root@master centos]# getent group ad_users
>> ad_users:*:1950000004:
>>
>> My question is how do I get sssd to enumerate *all users* in a group
consistently?
>>
>> Thanks!
>> Bolke
>
> ad_users is an IPA group that contains an IPA external group that
> contains the users, right?
Correct.
>
> If so, then you're hitting:
>
https://fedorahosted.org/sssd/ticket/2522
> I've been working on fixing this lately and have some patches, would you
> like to test them?
Sure. I would prefer RPMs (this is on RHEL 6 and 7) but I can compile if required.
This issue must be fixed with sssd on the IPA server itself. Please send me your exact
sssd version (rpm -q output) and I'll build you a test package tomorrow..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org