On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
Thanks for your continued support.
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
Sure thing!
PROD:15:13:34-root@ipaserver1:~
# ipa group-show --all --raw adglobalposixgroup
dn: cn=adglobalposixgroup,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
cn: adglobalposixgroup
gidnumber: 10001
ipaUniqueID: 5f5745b4-6a9f-11e9-8213-d4ae52a0e39d
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
From your explanation adglobalposixgroup is not a normal group in IPA.
Otherwise, sidgen plugin wouldn't have those issues. This is what I'm
pointing out -- having a split-brain situation is not expected and not
supported by SSSD in this way. "This way" - how we understood your
situation from your description above.
To clarify, the "adglobalposixgroup" has a GID that is supplied via
AD, it's configured as the GID 10001.
When the trust was initially created, I was able to `getent passwd`
and `id` users, but I received an error message stating that "10001
could not be found". That's the reason that I created it in IPA.
Understood.
My understanding that the group should exist in AD. It doesn't need to
be POSIX there. You can add POSIX attributes for it in the 'Default
Trust View' as a group override, but the group itself has to exist in
AD.
Can you remove it from IPA and add
ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain --gid
10001
after you added adglobalposixgroup in AD?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org