[Freeipa-users] it's a weird one - how AD users get into IPA ?

lejeczek peljasz at yahoo.co.uk
Mon Jun 20 15:30:42 UTC 2016 


On 10/06/16 11:23, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, lejeczek wrote:
>> On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:
>>> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
>>> > hi everyone
>>> >
>>> > there is a master IPA which in some weird way puts AD 
>>> users into
>>> > its ldap
>>> > catalog. I say weird cause there is no trust nor other 
>>> sync
>>> > established,
>>> > there was a trust agreement, one way type, but now 
>>> 'trust-find'
>>> > shows
>>> > nothing, that trust was removed.
>>> >
>>> > but still when I create a user @AD DS a second later I 
>>> see it in
>>> > IPA's ldap,
>>> > eg.
>>> >
>>> > dn: 
>>> uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private 
>>>
>>> > ,dc=c
>>> >  cnr,dc=aaa,dc=private,dc=dom
>>> >
>>> > how to trace the culprit config responsible for this?
>>>
>>> Check the DN, this is not the IPA tree (cn=account), but 
>>> the compat
>>> tree
>>> (cn=compat) populated by the slapi-nis plugin. The 
>>> intent is to make
>>> the
>>> AD users available to non-SSSD clients that can only use 
>>> LDAP as an
>>> interface.
>>>
>> any chance this plugin gets included without user/admin 
>> intention, eg.
>> during migrate-ds ?
> The slapi-nis plugin is enabled by default when IPA is 
> installed because
> ou=sudoers tree is emulated by the slapi-nis.
>
>> is ipa toolkit or I have to go directly to ldap to 
>> de/activate
>> plugin(s) ?
> See ipa-compat-manage
>
I've set up another replica, configuration on sssd and kdc 
site virtually identical, nsswith too, ipa-compat-manage 
etc. No trusts traces on both ends.
Master still(after reboot and sss_cache cleanup) receives, 
or rather pulls AD's users, whereas replica(s) don't.
This is hilarious, but how is this possible?
I add a user @AD DC and on master I ldapsearch and first few 
lines are:

dn: cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local
objectClass: extensibleObject
cn: compat

dn: 
cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local
objectClass: extensibleObject
cn: users

dn: 
uid=bootccnr at ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: ccnr boot
gidNumber: 1952400513
gecos: ccnr boot
ipaAnchorUUID:: 
OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT
  ExMzQ=
uidNumber: 1952401134
loginShell: /bin/bash
homeDirectory: /home/bootccnr at ccnr.priv.my.dom.local
uid: bootccnr at ccnr.priv.my.dom.local

dn: 
uid=testccnr at ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: ccnr tester
gidNumber: 1952400513
gecos: ccnr tester
ipaAnchorUUID:: 
OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT
  ExMzM=
uidNumber: 1952401133
loginShell: /bin/bash
homeDirectory: /home/testccnr at ccnr.priv.my.dom.local
uid: testccnr at ccnr.priv.my.dom.local

could it be that "compat" part happens only on master? I 
mean - should only happen on master?(even though replicas 
use ipa-compat-manage)
regards,
L.

More information about the Freeipa-users mailing list