On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-ma...
Can you show details about your trust configuration?
# ipa trust-show my.ad.domain # ipa idrange-show MY.AD.DOMAIN_id_range
My hunch is that you established a trust with an ID range that defines you have POSIX IDs in your Active Directory. Thus, SSSD assumes you have allocated uidNumber/gidNumber yourself in user/group entries in AD LDAP.
If you definitely don't have POSIX IDs in AD, then it might be that you had at some point NIS integration enabled on AD side and thus 'ipa trust-add' detected appropriate settings for this mode in AD and configured the ID range accordingly.
It is obvious that FreeIPA integration with AD is not production ready, and probably never will be for numerous reasons, just like samba...
It does not help to throw accusations without providing any details on how you configured a system.