Alexander, Thanks for your continued support.
> I'm not saying about that at all. > > Can you show output of > > ipa group-show --all --raw adglobalposixgroup Sure thing! PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn: cn=adglobalposixgroup,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com cn: adglobalposixgroup gidnumber: 10001 ipaUniqueID: 5f5745b4-6a9f-11e9-8213-d4ae52a0e39d objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup > From your explanation adglobalposixgroup is not a normal group in IPA. > Otherwise, sidgen plugin wouldn't have those issues. This is what I'm > pointing out -- having a split-brain situation is not expected and not > supported by SSSD in this way. "This way" - how we understood your > situation from your description above. To clarify, the "adglobalposixgroup" has a GID that is supplied via AD, it's configured as the GID 10001. When the trust was initially created, I was able to `getent passwd` and `id` users, but I received an error message stating that "10001 could not be found". That's the reason that I created it in IPA. > I'm not sure how you created the group because it would have been enough > to do > > ipa group-add adglobalposixgroup --gid 10001 > > to create a proper POSIX group in IPA with a required GID instead of > auto-generated one. This is precisely what I did. > As to your question of 'why', SSSD on IPA masters runs in a special > mode that assumes many specific settings different from IPA clients > because it needs to talk to AD DCs and resolve some other details which > aren't done at all on IPA clients. Thank you for explaining that. John DeSantis Il giorno lun 29 apr 2019 alle ore 15:11 Alexander Bokovoy via FreeIPA-users <[email protected]> ha scritto: > > On ma, 29 huhti 2019, John Desantis wrote: > >Alexander, > > > >> >Yes, the group was created within the IPA domain via the cli, and this > >> >error is only manifest in the client log. However, the GID of the > >> >group (10001) is supplied via the AD trust using the POSIX range. > >> That isn't going to work at all. > >> > >> For IPA groups POSIX IDs should be in IPA LDAP. You cannot have a > >> non-POSIX group in IPA and POSIX ID supplied from AD LDAP. > > > >Alright. So, do you recommend deleting the trust and re-creating it > >without "--range-type=ipa-ad-trust-posix"? > I'm not saying about that at all. > > Can you show output of > > ipa group-show --all --raw adglobalposixgroup > > From your explanation adglobalposixgroup is not a normal group in IPA. > Otherwise, sidgen plugin wouldn't have those issues. This is what I'm > pointing out -- having a split-brain situation is not expected and not > supported by SSSD in this way. "This way" - how we understood your > situation from your description above. > > I'm not sure how you created the group because it would have been enough > to do > > ipa group-add adglobalposixgroup --gid 10001 > > to create a proper POSIX group in IPA with a required GID instead of > auto-generated one. > > As to your question of 'why', SSSD on IPA masters runs in a special > mode that assumes many specific settings different from IPA clients > because it needs to talk to AD DCs and resolve some other details which > aren't done at all on IPA clients. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
