[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Mon, 29 Apr 2019 12:38:03 -0700 

On ma, 29 huhti 2019, John Desantis wrote:

Alexander,

Thanks for your continued support.


I'm not saying about that at all.

Can you show output of

ipa group-show --all --raw adglobalposixgroup


Sure thing!

PROD:15:13:34-root@ipaserver1:~
# ipa group-show --all --raw adglobalposixgroup
 dn: cn=adglobalposixgroup,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
 cn: adglobalposixgroup
 gidnumber: 10001
 ipaUniqueID: 5f5745b4-6a9f-11e9-8213-d4ae52a0e39d
 objectClass: top
 objectClass: groupofnames
 objectClass: nestedgroup
 objectClass: ipausergroup
 objectClass: ipaobject
 objectClass: posixgroup


From your explanation adglobalposixgroup is not a normal group in IPA.
Otherwise, sidgen plugin wouldn't have those issues. This is what I'm
pointing out -- having a split-brain situation is not expected and not
supported by SSSD in this way. "This way" - how we understood your
situation from your description above.


To clarify, the "adglobalposixgroup" has a GID that is supplied via
AD, it's configured as the GID 10001.

When the trust was initially created, I was able to `getent passwd`
and `id` users, but I received an error message stating that "10001
could not be found".  That's the reason that I created it in IPA.

Understood.

My understanding that the group should exist in AD. It doesn't need to
be POSIX there. You can add POSIX attributes for it in the 'Default
Trust View' as a group override, but the group itself has to exist in
AD.

Can you remove it from IPA and add

ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain --gid 
10001

after you added adglobalposixgroup in AD?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to