On Mon, Jun 24, 2019 at 09:35:20AM -0400, Marc Boorshtein via FreeIPA-users wrote:
We added a new account to AD that has a domain trust with FreeIPA. This one user is having an issue where IPA can't find him. The user is in the same OU as other users that work fine. The user is unlocked (userAccountControl is 512) and the userprincipalname is set. When I try to add the user to an id view or an external group IPA gives me the error "trusted domain object not found" . Not really sure where to look next to figure out what's wrong. We see the user when we make LDAP calls to AD.
Hi,
the answer will be most probably in the SSSD logs on the IPA server.
Please try:
sss_debuglevel 9 sss_cache -E getent passwd ad_user@ad.domain sss_debuglevel 0 # or your default debug level
and send the sssd_nss.log and the domain log file.
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
HTH
bye, Sumit
Thanks Marc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...