On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
Thanks for your continued support.
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
Sure thing!
PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn: cn=adglobalposixgroup,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com cn: adglobalposixgroup gidnumber: 10001 ipaUniqueID: 5f5745b4-6a9f-11e9-8213-d4ae52a0e39d objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup
From your explanation adglobalposixgroup is not a normal group in IPA. Otherwise, sidgen plugin wouldn't have those issues. This is what I'm pointing out -- having a split-brain situation is not expected and not supported by SSSD in this way. "This way" - how we understood your situation from your description above.
To clarify, the "adglobalposixgroup" has a GID that is supplied via AD, it's configured as the GID 10001.
When the trust was initially created, I was able to `getent passwd` and `id` users, but I received an error message stating that "10001 could not be found". That's the reason that I created it in IPA.
Understood.
My understanding that the group should exist in AD. It doesn't need to be POSIX there. You can add POSIX attributes for it in the 'Default Trust View' as a group override, but the group itself has to exist in AD.
Can you remove it from IPA and add
ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain --gid 10001
after you added adglobalposixgroup in AD?