Alexander,
Thanks for your continued support.
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
Sure thing!
PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn: cn=adglobalposixgroup,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com cn: adglobalposixgroup gidnumber: 10001 ipaUniqueID: 5f5745b4-6a9f-11e9-8213-d4ae52a0e39d objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup
From your explanation adglobalposixgroup is not a normal group in IPA. Otherwise, sidgen plugin wouldn't have those issues. This is what I'm pointing out -- having a split-brain situation is not expected and not supported by SSSD in this way. "This way" - how we understood your situation from your description above.
To clarify, the "adglobalposixgroup" has a GID that is supplied via AD, it's configured as the GID 10001.
When the trust was initially created, I was able to `getent passwd` and `id` users, but I received an error message stating that "10001 could not be found". That's the reason that I created it in IPA.
I'm not sure how you created the group because it would have been enough to do
ipa group-add adglobalposixgroup --gid 10001
to create a proper POSIX group in IPA with a required GID instead of auto-generated one.
This is precisely what I did.
As to your question of 'why', SSSD on IPA masters runs in a special mode that assumes many specific settings different from IPA clients because it needs to talk to AD DCs and resolve some other details which aren't done at all on IPA clients.
Thank you for explaining that.
John DeSantis
Il giorno lun 29 apr 2019 alle ore 15:11 Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org ha scritto:
On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
Yes, the group was created within the IPA domain via the cli, and this error is only manifest in the client log. However, the GID of the group (10001) is supplied via the AD trust using the POSIX range.
That isn't going to work at all.
For IPA groups POSIX IDs should be in IPA LDAP. You cannot have a non-POSIX group in IPA and POSIX ID supplied from AD LDAP.
Alright. So, do you recommend deleting the trust and re-creating it without "--range-type=ipa-ad-trust-posix"?
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
From your explanation adglobalposixgroup is not a normal group in IPA. Otherwise, sidgen plugin wouldn't have those issues. This is what I'm pointing out -- having a split-brain situation is not expected and not supported by SSSD in this way. "This way" - how we understood your situation from your description above.
I'm not sure how you created the group because it would have been enough to do
ipa group-add adglobalposixgroup --gid 10001
to create a proper POSIX group in IPA with a required GID instead of auto-generated one.
As to your question of 'why', SSSD on IPA masters runs in a special mode that assumes many specific settings different from IPA clients because it needs to talk to AD DCs and resolve some other details which aren't done at all on IPA clients.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...