[Freeipa-users] it's a weird one - how AD users get into IPA ?

Fri Jun 10 11:05:50 UTC 2016

On Fri, 2016-06-10 at 13:24 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, lejeczek wrote:
> > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> > > On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > > > hi everyone
> > > > > 
> > > > > there is a master IPA which in some weird way puts AD users
> > > > > into
> > > > > its ldap
> > > > > catalog. I say weird cause there is no trust nor other sync
> > > > > established,
> > > > > there was a trust agreement, one way type, but now 'trust-
> > > > > find'
> > > > > shows
> > > > > nothing, that trust was removed.
> > > > > 
> > > > > but still when I create a user @AD DS a second later I see it
> > > > > in
> > > > > IPA's ldap,
> > > > > eg.
> > > > > 
> > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=p
> > > > > riva
> > > > > te,dc=c
> > > > >  cnr,dc=aaa,dc=private,dc=dom
> > > > > 
> > > > > how to trace the culprit config responsible for this?
> > > > 
> > > > Check the DN, this is not the IPA tree (cn=account), but the
> > > > compat
> > > > tree
> > > > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > > > make the
> > > > AD users available to non-SSSD clients that can only use LDAP
> > > > as an
> > > > interface.
> > > 
> > > Yes. If you enabled slapi-nis on IPA master but didn't establish
> > > actual
> > > trust to AD and instead added an SSSD configuration to lookup AD
> > > users
> > > directly, then slapi-nis will happily ask SSSD for whatever users
> > > with @
> > > in the name were requested by the LDAP clients and SSSD would
> > > look
> > > them
> > > up in AD.
> > > 
> > > Not sure how useful is that at all but yes, this is a side-effect 
> > > of
> > > slapi-nis features.
> > > 
> > this is very freaking useful :) I was wondering how to get my
> > radius
> > there... and, ups, just like that, it was there, so thanks!
> There are no passwords in that tree.
maybe it's not slapi-nis then? radius definitely works and
checks/validates passwords.
I'm looking at https://docs.fedoraproject.org/en-US/Fedora/17/html/Free
IPA_Guide/migrating-from-nis.html trying to have this working on a
replica now and I think it could have not been nis plugin. Having it
enabled first IPA fails to start for 587 is already in use and master
IPA also uses that port, also master does not show ypserv in rpcinfo.
How to be 100% sure it's slapi-nis ? And if it is not then what else
gets those AD users?
many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/2611b66b/attachment.htm>