I’m working on bringing my 100+ servers under FreeIPA, aka a centralized Identity Management system. Since FreeIPA is an upstream source for Red Hat IDM, I added it to the title.
Installing FreeIPA on servers is bog simple. Run
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Client hostname: bldr0cuomshift.internal.pri
DNS Domain: internal.pri
IPA Server: lnmt1cuomifidm1.internal.pri
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@INTERNAL.PRI:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=INTERNAL.PRI
Issuer: CN=Certificate Authority,O=INTERNAL.PRI
Valid From: 2020-06-27 03:52:06
Valid Until: 2040-06-27 03:52:06
Enrolled in IPA realm INTERNAL.PRI
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/krb5.conf for IPA realm INTERNAL.PRI
[try 1]: Forwarding 'schema' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/json'
[try 1]: Forwarding 'ping' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
Could not update DNS SSHFP records.
Configuring internal.pri as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Then I migrate local accounts over to use IDM instead. This has been working just fine on CentOS and Red Hat 7. The script I use was running:
# getent -s sss passwd [account]
This returns only accounts that are managed in IDM. So I can then change the file ownerships and group ownerships of files the local account owns.
Issue though. With CentOS 8 (and I assume Red Hat 8), the command returns information for local non-IDM accounts. This is unexpected behavior and breaks my script. Not killer of course but it does mean I would have to manually identify local users and make sure they’re in IDM before trying to convert them. And the script deletes the local user which causes other problems if it deletes a non-IDM local user.
# getent -s sss passwd bin
This is unexpected behavior. With CentOS 7, this returns blank but with CentOS 8, this returns bin.
What happened is the sssd behavior changed. The enable_files_domain option under [sssd] in the /etc/sssd/sssd.conf file is set to false by default in CentOS 7 however in CentOS 8, the default is now true. This means local accounts are also cached by sssd and are returned when querying with getent.
After making the change, the following now happens as expected:
# getent -s sss passwd bin
And continue on with adding servers to IDM.