I’m working on bringing my 100+ servers under FreeIPA, aka a centralized Identity Management system. Since FreeIPA is an upstream source for Red Hat IDM, I added it to the title.
Installing FreeIPA on servers is bog simple. Run
# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: bldr0cuomshift.internal.pri Realm: INTERNAL.PRI DNS Domain: internal.pri IPA Server: lnmt1cuomifidm1.internal.pri BaseDN: dc=internal,dc=pri Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@INTERNAL.PRI: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=INTERNAL.PRI Issuer: CN=Certificate Authority,O=INTERNAL.PRI Valid From: 2020-06-27 03:52:06 Valid Until: 2040-06-27 03:52:06 Enrolled in IPA realm INTERNAL.PRI Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm INTERNAL.PRI trying https://lnmt1cuomifidm1.internal.pri/ipa/json [try 1]: Forwarding 'schema' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/json' trying https://lnmt1cuomifidm1.internal.pri/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring internal.pri as NIS domain. Client configuration complete. The ipa-client-install command was successful
Then I migrate local accounts over to use IDM instead. This has been working just fine on CentOS and Red Hat 7. The script I use was running:
# getent -s sss passwd [account]
This returns only accounts that are managed in IDM. So I can then change the file ownerships and group ownerships of files the local account owns.
Issue though. With CentOS 8 (and I assume Red Hat 8), the command returns information for local non-IDM accounts. This is unexpected behavior and breaks my script. Not killer of course but it does mean I would have to manually identify local users and make sure they’re in IDM before trying to convert them. And the script deletes the local user which causes other problems if it deletes a non-IDM local user.
# getent -s sss passwd bin bin:x:1:1:bin:/bin:/sbin/nologin
This is unexpected behavior. With CentOS 7, this returns blank but with CentOS 8, this returns bin.
What happened is the sssd behavior changed. The enable_files_domain option under [sssd] in the /etc/sssd/sssd.conf file is set to false by default in CentOS 7 however in CentOS 8, the default is now true. This means local accounts are also cached by sssd and are returned when querying with getent.
After making the change, the following now happens as expected:
# getent -s sss passwd bin
And continue on with adding servers to IDM.