Background - stupidly large AD domain with 30,000 plus groups. It is a forest with a number of legacy domains that are not relevant to our authentication on Linux but the AD admins don't want to allow us to mess with their schema so we still use group membership to manage sudo.
We're also attempting to align with Windows through use of nested groups to fit in with enterprise preference for RBAC.
It's complicated and there's no resourcing to put in place an IPA service which would help.
Anyway these are the relevant config elements:
id_provider = ad auth_provider = ad access_provider = ad subdomains_provider = none enumerate = true ignore_group_members = true cache_credentials = true ldap_id_mapping = true ldap_schema = ad
( I can provide full config if requested). We had gone to full enumeration and ignore_group_members to ensure that the groups that provide sudo access are available without ridiculous cpu utilisation and it was working but hit this apparent issue:
[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080): Failed to add [CN=RG-Ourcompany-Ops-3rd Party-Data#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated Groups,OU= Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]: Input/output error
Can raise a bug report if it's clear that this is the issue.
Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.
Cheers
Craig Silva _________ Craig Silva | Specialist Engineer - Unix Services - Servers, Storage and IDAM Cenitex | Level 15, 80 Collins Street, Melbourne 3000 ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.auhttp://www.cenitex.vic.gov.au/ This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]http://www.cenitex.vic.gov.au/ [cid:image004.jpg@01D36DDE.27450B80] https://www.facebook.com/CenITex.vic.gov.au/ [cid:image006.jpg@01D36DDE.27450B80] https://twitter.com/cenitex [cid:image010.jpg@01D36DDE.27450B80] https://www.linkedin.com/company/314749/ Accountability, Collaboration, Respect, Initiative and Courage
---------------------------------------------------------------------- Notice:
This email and any attachments may contain information that is personal, confidential, legally privileged and/or copyright. No part of it should be reproduced, adapted or communicated without the prior written consent of the copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return email, delete it from your system and destroy any copies. You are not authorised to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
On Mon, Jun 04, 2018 at 05:33:28AM +0000, Craig H Silva (Cenitex) via FreeIPA-users wrote:
Background - stupidly large AD domain with 30,000 plus groups. It is a forest with a number of legacy domains that are not relevant to our authentication on Linux but the AD admins don't want to allow us to mess with their schema so we still use group membership to manage sudo.
We're also attempting to align with Windows through use of nested groups to fit in with enterprise preference for RBAC.
It's complicated and there's no resourcing to put in place an IPA service which would help.
Anyway these are the relevant config elements:
id_provider = ad auth_provider = ad access_provider = ad subdomains_provider = none enumerate = true ignore_group_members = true cache_credentials = true ldap_id_mapping = true ldap_schema = ad
( I can provide full config if requested). We had gone to full enumeration and ignore_group_members to ensure that the groups that provide sudo access are available without ridiculous cpu utilisation and it was working but hit this apparent issue:
[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080): Failed to add [CN=RG-Ourcompany-Ops-3rd Party-Data#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated Groups,OU= Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]: Input/output error
I guess this issue might be caused by the '#3' part of the DN which is not properly sanitized for a search.
Is the literal group name 'RG-Ourcompany-Ops-3rd Party-Data#3-G'? I'm asking to see if the '' was already added to sanitize the original name.
Do you have other groups with similar name which do not trigger this error message?
bye, Sumit
Can raise a bug report if it's clear that this is the issue.
Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.
Cheers
Craig Silva _________ Craig Silva | Specialist Engineer - Unix Services - Servers, Storage and IDAM Cenitex | Level 15, 80 Collins Street, Melbourne 3000 ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.auhttp://www.cenitex.vic.gov.au/ This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]http://www.cenitex.vic.gov.au/ [cid:image004.jpg@01D36DDE.27450B80] https://www.facebook.com/CenITex.vic.gov.au/ [cid:image006.jpg@01D36DDE.27450B80] https://twitter.com/cenitex [cid:image010.jpg@01D36DDE.27450B80] https://www.linkedin.com/company/314749/ Accountability, Collaboration, Respect, Initiative and Courage
Notice:
This email and any attachments may contain information that is personal, confidential, legally privileged and/or copyright. No part of it should be reproduced, adapted or communicated without the prior written consent of the copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return email, delete it from your system and destroy any copies. You are not authorised to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Sorry Sumit I missed your reply.
The quick answer is that we changed the name of the group and the literal group name was RG-Ourcompany-Ops-3rd Party-Data#3-G.
It might appear that the \ was added in to sanitize the search by sssd.
Luckily we don't have other groups which use a # character in their name.
Just posted in case it was worthwhile hunting it down.
Craig Silva _________ Craig Silva | Specialist Engineer – Unix Services – Servers, Storage and IDAM Cenitex | Level 15, 80 Collins Street, Melbourne 3000 ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.au This office is located on the land of the Traditional Owners of the Kulin Nation.
Accountability, Collaboration, Respect, Initiative and Courage
-----Original Message----- From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org] Sent: Monday, 4 June 2018 5:15 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: apparent error with ad_enum_cross_dom_members
On Mon, Jun 04, 2018 at 05:33:28AM +0000, Craig H Silva (Cenitex) via FreeIPA-users wrote:
Background - stupidly large AD domain with 30,000 plus groups. It is a forest with a number of legacy domains that are not relevant to our authentication on Linux but the AD admins don't want to allow us to mess with their schema so we still use group membership to manage sudo.
We're also attempting to align with Windows through use of nested groups to fit in with enterprise preference for RBAC.
It's complicated and there's no resourcing to put in place an IPA service which would help.
Anyway these are the relevant config elements:
id_provider = ad auth_provider = ad access_provider = ad subdomains_provider = none enumerate = true ignore_group_members = true cache_credentials = true ldap_id_mapping = true ldap_schema = ad
( I can provide full config if requested). We had gone to full enumeration and ignore_group_members to ensure that the groups that provide sudo access are available without ridiculous cpu utilisation and it was working but hit this apparent issue:
[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080): Failed to add [CN=RG-Ourcompany-Ops-3rd Party-Data#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated Groups,OU= Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]: Input/output error
I guess this issue might be caused by the '#3' part of the DN which is not properly sanitized for a search.
Is the literal group name 'RG-Ourcompany-Ops-3rd Party-Data#3-G'? I'm asking to see if the '' was already added to sanitize the original name.
Do you have other groups with similar name which do not trigger this error message?
bye, Sumit
Can raise a bug report if it's clear that this is the issue.
Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.
Cheers
Craig Silva _________ Craig Silva | Specialist Engineer - Unix Services - Servers, Storage and IDAM Cenitex | Level 15, 80 Collins Street, Melbourne 3000 ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.auhttp://www.cenitex.vic.gov.au/ This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]http://www.cenitex.vic.gov.au/ [cid:image004.jpg@01D36DDE.27450B80] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_CenITex.vic.gov.au_&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-pd16myTaKc_Kjwqv8AZE&s=VYMf7QYGlBG8eiQG5xRVURRE8215F8w7E7OO-goyCiA&e= [cid:image006.jpg@01D36DDE.27450B80] https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_cenitex&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-pd16myTaKc_Kjwqv8AZE&s=7dlZzbGl1QeWiYLEJoUveRTFbOYC5eEfkqmLY3aERTQ&e= [cid:image010.jpg@01D36DDE.27450B80] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_314749_&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-pd16myTaKc_Kjwqv8AZE&s=59Q7c85_JzFFb-NOCJVZLqSUUooqYB3VB6L09ytZXk8&e= Accountability, Collaboration, Respect, Initiative and Courage
Notice:
This email and any attachments may contain information that is personal, confidential, legally privileged and/or copyright. No part of it should be reproduced, adapted or communicated without the prior written consent of the copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return email, delete it from your system and destroy any copies. You are not authorised to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_cod e-2Dof-2Dconduct.html&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r=T8mD0RvEsXMA 2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-pd16myTaKc_Kj wqv8AZE&s=fsR16FKs1G__V_ogSKzm4pW6Yv9_A4kUFhkR_pTS23o&e= List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org _wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r= T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-p d16myTaKc_Kjwqv8AZE&s=SlOb2dSxuB3iOIv6D9Y5zSNgaHL3xYxrUQZsJzkDcPQ&e= List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedoraproje ct.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org_message_ 2UT3LSZLQT6YHMVZVW6Q6YXTUQIK4C7U_&d=DwIGaQ&c=JnBkUqWXzx2bz-3a05d47Q&r= T8mD0RvEsXMA2H4fNM3VWhzlDFa9nHLlzUb7k-5uHhw&m=JoLzFkBEDYS97xWxqiHT1S-p d16myTaKc_Kjwqv8AZE&s=mktGbX9EhLe88joOIlkA8InLwEmLsO-1zSw15ZUEqTk&e=
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2Dof... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedoraproject.org...
---------------------------------------------------------------------- Notice:
This email and any attachments may contain information that is personal, confidential, legally privileged and/or copyright. No part of it should be reproduced, adapted or communicated without the prior written consent of the copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return email, delete it from your system and destroy any copies. You are not authorised to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
freeipa-users@lists.fedorahosted.org
-
Craig H Silva (Cenitex) -
Sumit Bose