[Freeipa-users] anyone know how to do sssd filters?

Tue Dec 18 15:17:38 UTC 2012

On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote:
> On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote:
> >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote:
> >> > On 12/17/2012 03:11 PM, KodaK wrote:
> >> > > I'm attempting to install Satellite in my IPA domain.  There is a
> >> > > ridiculous requirement that the group "dba" must not already exist
> >> > > prior to installing.  Red Hat support wanted me to *remove* the DBA
> >> > > group and then install.
> >> > >
> >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I
> >> > > can't seem to get it to "take."  The man page isn't exactly clear, but
> >> > > here's what I've tried:
> >> > >
> >> > > filter_groups = dba
> >> > > filter_groups= dba at fqdn
> >> > >
> >> > > In the [domain], [sssd] and [nss] sections of the config file.
> >> > >
> >> > > What's the right syntax?  Do I need it in every section?
> >> > >
> >> > Is it a local group or a central group?
> >>
> >> Where Dmitri's question is headed is that if dba is a local group (aka
> >> stored in /etc/passwd), then the SSSD should be queried at all.
> >               ^^^
> >             /etc/group obviously
> 
> I figured. :)
> 
> The group "dba" is stored in IPA.  Here's a funny thing, though (short rundown):
> 
> Installed RHEL 6.3 on Satelite server, joined it to the domain.
> 
> Try to install Satellite: get the "Could not install database."
> 
> I try to filter out the group in IPA, try to install Satellite, get:
> "The group 'dba' should exist."  This makes me think that the filter
> is doing every "dba" not just dba on the IPA server.
> 
> I removed the Satellite server from IPA (ipa-client-install
> --uninstall) and I get the same message (dba should exist.)
> 
> Fun stuff.
> 

Unless you wiped out the machine completely, do you know if:

$ getent group -s sss dba

Returned the group or not?

I wouldn't be surprised if the installer tools checked the files directly..

> Now I'm re-installing RHEL so I can start from scratch, and I'll
> attempt to install Satellite without joining it to the domain.  I'm
> not fond of this option -- I don't want to have stand-alone machines
> that I have to manage separately, that's why I installed IPA in the
> first place.