Hello,
I manage two independant AD domains, and I set up a trust with my freeipa server (realm NAT.ABES.FR).
The trust-add step is ok for both and trust are both seen as active directory trust:
2 trusts matched ----------------
Realm name: ACME.local Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active Directory domain
Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Trust type: Active Directory domain
Idranges are also ok:
Range name: ACME.LOCAL_id_range First Posix ID of the range: 542000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory domain range
Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: 564400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Range type: Active Directory domain range
I can get id with ACME.local but not on levant.abes.fr:
id toto@ACME.local uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) groups=542001112( toto@ACME.local ),542000513(utilisateurs du domaine@ACME.local )
id administrateur@levant.abes.fr id: ‘ administrateur@levant.abes.fr ’: no such user
when debugging sssd, I find that the ldap filter query is not the same on both domains:
ACME.local: [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
levant.abes.fr: [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
The ACME domain is on a single 2012R2 server
The LEVANT domain is on an AD cluster with different AD versions: 2008, 2012R2, 2016
SRV records are all ok from AD side and from ipaserver side.
Some users on LEVANT hadpreviously some unix attributes that I deleted, and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or msSFU30MaxUidNumber as mentionned here [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
I deleted, recreated trust, restarted sssd daemon, but the result is always the same, the ldap search on AD is always done with uidNumber instead of objectSID and no users of the trusted domain are found.
What can I do more?
On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via FreeIPA-users wrote:
Hello,
I manage two independant AD domains, and I set up a trust with my freeipa server (realm NAT.ABES.FR).
The trust-add step is ok for both and trust are both seen as active directory trust:
2 trusts matched ----------------
Realm name: ACME.local Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active Directory domain
Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Trust type: Active Directory domain
Idranges are also ok:
Range name: ACME.LOCAL_id_range First Posix ID of the range: 542000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory domain range
Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: 564400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Range type: Active Directory domain range
I can get id with ACME.local but not on levant.abes.fr:
id toto@ACME.local uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) groups=542001112( toto@ACME.local ),542000513(utilisateurs du domaine@ACME.local )
id administrateur@levant.abes.fr id: ‘ administrateur@levant.abes.fr ’: no such user
when debugging sssd, I find that the ldap filter query is not the same on both domains:
ACME.local: [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
levant.abes.fr: [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
The ACME domain is on a single 2012R2 server
The LEVANT domain is on an AD cluster with different AD versions: 2008, 2012R2, 2016
SRV records are all ok from AD side and from ipaserver side.
Some users on LEVANT hadpreviously some unix attributes that I deleted, and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or msSFU30MaxUidNumber as mentionned here [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
I deleted, recreated trust, restarted sssd daemon, but the result is always the same, the ldap search on AD is always done with uidNumber instead of objectSID and no users of the trusted domain are found.
What can I do more?
Hi,
did you remove SSSD's cache while restarting SSSD? Please try
sssctl cache-remove -ops
or if sssctl is not installed
systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start sssd.service
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
It works thank you so much!
Le 24/06/2020 à 12:44, Sumit Bose via FreeIPA-users a écrit :
On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via FreeIPA-users wrote:
Hello,
I manage two independant AD domains, and I set up a trust with my freeipa server (realm NAT.ABES.FR).
The trust-add step is ok for both and trust are both seen as active directory trust:
2 trusts matched ----------------
Realm name: ACME.local Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active Directory domain
Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Trust type: Active Directory domain
Idranges are also ok:
Range name: ACME.LOCAL_id_range First Posix ID of the range: 542000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory domain range
Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: 564400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Range type: Active Directory domain range
I can get id with ACME.local but not on levant.abes.fr:
id toto@ACME.local uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) groups=542001112( toto@ACME.local ),542000513(utilisateurs du domaine@ACME.local )
id administrateur@levant.abes.fr id: ‘ administrateur@levant.abes.fr ’: no such user
when debugging sssd, I find that the ldap filter query is not the same on both domains:
ACME.local: [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
levant.abes.fr: [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
The ACME domain is on a single 2012R2 server
The LEVANT domain is on an AD cluster with different AD versions: 2008, 2012R2, 2016
SRV records are all ok from AD side and from ipaserver side.
Some users on LEVANT hadpreviously some unix attributes that I deleted, and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or msSFU30MaxUidNumber as mentionned here [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
I deleted, recreated trust, restarted sssd daemon, but the result is always the same, the ldap search on AD is always done with uidNumber instead of objectSID and no users of the trusted domain are found.
What can I do more?
Hi,
did you remove SSSD's cache while restarting SSSD? Please try
sssctl cache-remove -ops
or if sssctl is not installed
systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start sssd.service
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org