Freeipa getent group does not list sss groups, however getent -s sss group <freeipa group> does
Posted by kevdogger@reddit | linuxadmin | View on Reddit | 8 comments
abismahl@reddit
Enumerating groups in AD/IPA providers is disabled by default (and is going to be removed in further SSSD versions), as described in the SSSD 2.10.0 release notes: https://sssd.io/release-notes/sssd-2.10.0.html
It should be showing IPA groups if you explicitly ask for them, as your second example shows.
kevdogger@reddit (OP)
I read your link..helpful and informative. Do you know how you would enable ipa group enumeration? For me...setting enumerate = true with sssd.conf doesn't work. Is there another setting server side on freeipa to make this work?
abismahl@reddit
The release page says "Those who are interested to keep using it awhile should configure its build explicitly using --with-extended-enumeration-support ./configure option." So it is compile time package option, not a configuration option anymore. As far as I see, Fedora builds already disable it.
kevdogger@reddit (OP)
OK great. If it is indeed the sssd package, both Debian and Arch sssd packages as well as fedora must have disabled by default as well since those are my testing systems and none will enumerate as well. Soo I guess as a work around on machines I have enrolled on the ipa server I'll do a kinit to obtain the kerberos token and then ipa group-find to list the ipa groups. Not as easy as the old getent method particularly if you forget the ipa group but a doable work around I suppose. Thanks for pointing me in right direction.
abismahl@reddit
Yep, if you just need to list the groups and there aren't many of them, using IPA tools should work.
kevdogger@reddit (OP)
Any others tools I should be aware of? I'm kinda new to using domain identification systems
hortimech@reddit
I do not use either freeipa or sssd, but seeing as sssd is heavily based on winbind, I am willing to bet that sssd has a parameter to turn this on. You can set 'winbind enum users = yes' 'and 'winbind enum groups = yes' in the Samba smb.conf file, this makes 'getent passwd' return all users and 'getent group' return all groups, try checking the sssd documentation for similar parameters.
However, unless you only have a small number of users and groups, I would not do this, it will cause sssd to enumerate all users and groups and this could slow things down.
kevdogger@reddit (OP)
It's just for home lab..I'm talking maybe 10 users. I'll see what I can come up with..freeipa documentation leaves a lot to be desired