[Freeipa-users] Incomplete user identities on legacy clients

Vladimir Kondratyev VKondratyev at bellintegrator.ru
Fri Feb 19 12:48:40 UTC 2016 

Hi

I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis plugin on RHEL7.2 than installed and configured  ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option and than successfully established one-way trust with Win2008R2 domain (named ad.dlink) 

After that following objects have been created in AD:

groups:
"linux admins at ad.dlink"
"linux users at ad.dlink"

users:
"user2 at ad.dlink" - member of "linux users at ad.dlink"
"user3 at ad.dlink" - member of both "linux users at ad.dlink" and "linux admins at ad.dlink" groups

On IPA side i created following groups and relations:

external member -> external ipa group -> posix ipa group
"linux admins at ad.dlink" -> "ad_la_ext" -> "ad_la"
"linux users at ad.dlink" -> "ad_lu_ext" -> "ad_lu"

So "user2 at ad.dlink" being logged in to ipa-client becomes a member of "ad_lu" posix group and "user3 at ad.dlink" becomes a member of both "ad_la" and "ad_lu" groups

That is working like intended for sssd1.9+ clients but not for legacy clients

Steps for reproduce

1. Install RHEL5 (RHEL5.1 in my case but i tried another 5.x also)
2. Run ipa-advise config-redhat-nss-ldap on ipa trust-controller
3. login to RHEL5 as root and configure it with shell script obtained on step 2
4. reset compat ldap cache with issuing "systemctl restart dirsrv.target" on ipa-server (trust controller)
5. print user identities (or just login as user) on legacy client in following order: user2 at ad.dlink than user3 at ad.dlink
[root at rhel51 ~]# id user2 at ad.dlink
uid=1777801107(user2 at ad.dlink) gid=1777801107(user2 at ad.dlink) groups=1777801107(user2 at ad.dlink),120000003(ad_lu),1777801104(linux users at ad.dlink),1777800513(domain users at ad.dlink) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root at rhel51 ~]# id user3 at ad.dlink
uid=1777801108(user3 at ad.dlink) gid=1777801108(user3 at ad.dlink) groups=1777801108(user3 at ad.dlink),120000003(ad_lu),1777801104(linux users at ad.dlink),1777800513(domain users at ad.dlink) context=root:system_r:unconfined_t:SystemLow-SystemHigh

As you can see "user3 at ad.dlink" misses "ad_la" and "linux admins at ad.dlink" groups membership!

Now reset compat ldap cache with "systemctl restart dirsrv.target" again and print identities on legacy client in opposite order: user3 at ad.dlink than user2 at ad.dlink
[root at rhel51 ~]# id user3 at ad.dlink
uid=1777801108(user3 at ad.dlink) gid=1777801108(user3 at ad.dlink) groups=1777801108(user3 at ad.dlink),120000003(ad_lu),120000004(ad_la),1777801104(linux users at ad.dlink),1777801105(linux admins at ad.dlink),1777800513(domain users at ad.dlink) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root at rhel51 ~]# id user2 at ad.dlink
uid=1777801107(user2 at ad.dlink) gid=1777801107(user2 at ad.dlink) groups=1777801107(user2 at ad.dlink),120000003(ad_lu),1777801104(linux users at ad.dlink),1777800513(domain users at ad.dlink) context=root:system_r:unconfined_t:SystemLow-SystemHigh

Voila, "user3 at ad.dlink" is a "ad_la" and "linux admins at ad.dlink" groups member now!

So it seems external member -> posix ipa group relations are cached for first user logged (or issued id command) into legacy client after compat-cache reset and these relations are not updated on other user login

Also its interesting that 2 objects with the same dn but different objectClass, memberUid and ipaAnchorUUID can be found in compat ldap after first login or executing of id

[root at idm1 ~]# ldapsearch -Wx -D "cn=Directory manager" -b "cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ad_lu, groups, compat, ipa.dlink
dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: top
gidNumber: 120000003
memberUid: user6 at child.ad.dlink
memberUid: user7 at child.ad.dlink
memberUid: user8 at child.ad.dlink
memberUid: user5 at child.ad.dlink
memberUid: admin
memberUid: user4 at ad.dlink
memberUid: user9 at child.ad.dlink
memberUid: user2 at ad.dlink
memberUid: user3 at ad.dlink
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yNjgxMjU4MTQxLTE0MzYzMzM2NTUtOTY0MTEzOTI0LT
 EwMDM=
cn: ad_lu

# ad_lu, groups, compat, ipa.dlink
dn: cn=ad_lu,cn=groups,cn=compat,dc=ipa,dc=dlink
ipaAnchorUUID:: OklQQTppcGEuZGxpbms6ZGJhZDgyNDgtZDMxOS0xMWU1LTk0MTAtMDgwMDI3Yj
 E3NmNk
gidNumber: 120000003
memberUid: admin
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
cn: ad_lu

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

P.S. I use CA-less setup with external DNS servers

--
Vladimir Kondratyev

More information about the Freeipa-users mailing list