On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
>Yes, the group was created within the IPA domain via the cli, and this
>error is only manifest in the client log. However, the GID of the
>group (10001) is supplied via the AD trust using the POSIX range.
That isn't going to work at all.
For IPA groups POSIX IDs should be in IPA LDAP. You cannot have a
non-POSIX group in IPA and POSIX ID supplied from AD LDAP.
Alright. So, do you recommend deleting the trust and re-creating it
without "--range-type=ipa-ad-trust-posix"?
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
From your explanation adglobalposixgroup is not a normal group in IPA.
Otherwise, sidgen plugin wouldn't have those issues. This is what I'm
pointing out -- having a split-brain situation is not expected and not
supported by SSSD in this way. "This way" - how we understood your
situation from your description above.
I'm not sure how you created the group because it would have been enough
to do
ipa group-add adglobalposixgroup --gid 10001
to create a proper POSIX group in IPA with a required GID instead of
auto-generated one.
As to your question of 'why', SSSD on IPA masters runs in a special
mode that assumes many specific settings different from IPA clients
because it needs to talk to AD DCs and resolve some other details which
aren't done at all on IPA clients.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
