[Freeipa-users] it's a weird one - how AD users get into IPA ?

Fri Jun 10 14:15:08 UTC 2016

On Fri, 2016-06-10 at 15:34 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, lejeczek wrote:
> > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> > > On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > > > hi everyone
> > > > > 
> > > > > there is a master IPA which in some weird way puts AD users
> > > > > into
> > > > > its ldap
> > > > > catalog. I say weird cause there is no trust nor other sync
> > > > > established,
> > > > > there was a trust agreement, one way type, but now 'trust-
> > > > > find'
> > > > > shows
> > > > > nothing, that trust was removed.
> > > > > 
> > > > > but still when I create a user @AD DS a second later I see it
> > > > > in
> > > > > IPA's ldap,
> > > > > eg.
> > > > > 
> > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=p
> > > > > riva
> > > > > te,dc=c
> > > > >  cnr,dc=aaa,dc=private,dc=dom
> > > > > 
> > > > > how to trace the culprit config responsible for this?
> > > > 
> > > > Check the DN, this is not the IPA tree (cn=account), but the
> > > > compat
> > > > tree
> > > > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > > > make the
> > > > AD users available to non-SSSD clients that can only use LDAP
> > > > as an
> > > > interface.
> > > 
> > > Yes. If you enabled slapi-nis on IPA master but didn't establish
> > > actual
> > > trust to AD and instead added an SSSD configuration to lookup AD
> > > users
> > > directly, then slapi-nis will happily ask SSSD for whatever users
> > > with @
> > > in the name were requested by the LDAP clients and SSSD would
> > > look
> > > them
> > > up in AD.
> > but would entries from AD wound up in IPA's ldap?
> > I'm poking around and still am puzzled, I believe I've enabled nis
> > on a
> > replica but it's not doing it there, those AD users are not in IPA
> > replica ldap whereas they exist on the master.
> They wouldn't be in LDAP tree.
> 
> cn=compat is purely virtual and is not replicated. The tree is
> populated
> on demand and if your replica is configured differently to the master
> w.r.t. AD trust or SSSD, you'll get different results.
so it's a square one then, I forget IPA replicas for now, only master,
while I'm looking at https://git.fedorahosted.org/cgit/slapi-nis.git/pl
ain/doc/nis-getting-started.txt
before I use ipa-compat-manage (to disable to test) - where in ldap
config (or anywhere) it says this plugin is on & working so I can be
sure?
And flat configs for sssd & krb are virtually identical on both IPA
master & replica, I just copied those manually to be sure, replica
still has no AD users entries.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/06eee3f2/attachment.htm>