External groups from AD trust fail with "Incomplete group object for ...[0]! Skipping" (although in the logs all members seem to be fetched) - FreeIPA-users - Fedora mailing-lists

16 Aug 2019


      I have an IPA domain (ipa.engr.tamu.edu) that has a one-way trust with an
AD domain (engr.tamu.edu). I've created a POSIX group called 'linux_team'
that contains an external group called 'linux_team_ext', which itself
contains the AD group linux_team@engr.tamu.edu (from the trusted domain).
When I run a 'getent group linux_team', I get nothing back at all. However,
it seems that from the logs it does fetch all of the group members:
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-william.luke@engr.tam
u.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-andrew.eggleston@engr
.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-blake.dworaczyk@engr.
tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-david.miller@engr.tam
u.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-j.polasek@engr.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-matthew.mjelde@engr.tamu.edu] to [overridememberUid].
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): No override name available.
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides]
(0x4000): Added [coe-steve.herring@engr.tamu.edu] to [overridememberUid].
Ultimately I see this log entry:
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [nss_get_grent] (0x0040): Incomplete
group object for linux_team@engr.tamu.edu[0]! Skipping
I've tested the trust relationship and it seems to work fine. I've also
added a user override to the 'Default Trust View' and I'm able to fetch the
user without a problem. Everything except for group membership from the
trusted AD domain seems to be working.
Here are the complete logs:
https://drive.google.com/file/d/164_zRBreVtA4P9-MZ0r8MIx-ElFOful-/view?usp=s...
-- 

------------------------------
Blake Dworaczyk
Linux Team Lead
College of Engineering
Texas A&M University