Hi,
On Thu, Sep 1, 2022 at 4:59 PM Master Blaster via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Howdy, > > We are having intermittent login issues with our SSSD/IPA clients using > Identity Manager in a read-only cross-forest trust configuration. > > The SSSD/IPA servers themselves don't seem to be having this issue, just > the SSSD/IPA clients using the IDM/IPA servers as their identity provider. > > In addition, the problem only affects AD accounts, not native IDM accounts. > > The issue manifests itself as either failed logins or the 'id' command > returning user unknown. > > All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 > and RHEL 8, all exhibiting the same issue. > > We have a P2 open with Red Hat, and it feels like they are having a > problem pinpointing the issue. > > Red Hat support seems to be indicating our AD environment is to blame, at > least partially, as most our of AD groups don't have GIDs. We have 80K + > users in our AD (not all of them assigned a Unix UID in AD as most of them > have no need to log in to Unix). However, the users that are logging in > via SSSD obviously have UIDs and many groups attached to them, most of > which may not have Possix GIDs as many of those groups will never need to > touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc) > If the trust is established with a ipa-ad-trust-posix range type, any AD user who wants to login on IdM side needs to have a uid, and all his groups also need to have a gid. If it's not possible to add these attributes on AD side, you can also create idoverride on IdM and override the uid or the gid. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-id-views-for-active-directory-users_managing-users-groups-hosts flo > Red Hat seems to indicate this is a highly unusual configuration for AD, > where not all groups have Possix GIDs assigned. > > I'm curious to know if those who have large AD environments like this with > a mix of Unix and non-Unix uses, truly assign a Possix GID to each and > every group, even if that group will never be utilized by Unix. > > Also curious to know if anyone else is experiencing intermittent loging > problems like this, and if you were able to solve it, and how? > > Thank you... > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue