We added a new account to AD that has a domain trust with FreeIPA. This one user is having an issue where IPA can't find him. The user is in the same OU as other users that work fine. The user is unlocked (userAccountControl is 512) and the userprincipalname is set. When I try to add the user to an id view or an external group IPA gives me the error "trusted domain object not found" . Not really sure where to look next to figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks Marc
On ma, 24 kesä 2019, Marc Boorshtein via FreeIPA-users wrote:
We added a new account to AD that has a domain trust with FreeIPA. This one user is having an issue where IPA can't find him. The user is in the same OU as other users that work fine. The user is unlocked (userAccountControl is 512) and the userprincipalname is set. When I try to add the user to an id view or an external group IPA gives me the error "trusted domain object not found" . Not really sure where to look next to figure out what's wrong. We see the user when we make LDAP calls to AD.
'Trusted domain object not found' is about the trust itself. Are you user you are looking it up against a server that is either trust controller or trust agent?
If it is a trust agent, does it have ipa-server-trust-ad package installed?
'Trusted domain object not found' is about the trust itself. Are you user you are looking it up against a server that is either trust controller or trust agent?
Its just this one user. Other users in the trusted domain are OK and the trust has been up and running without issue for months.
If it is a trust agent, does it have ipa-server-trust-ad package installed?
Yes
On ma, 24 kesä 2019, Marc Boorshtein wrote:
'Trusted domain object not found' is about the trust itself. Are you user you are looking it up against a server that is either trust controller or trust agent?
Its just this one user. Other users in the trusted domain are OK and the trust has been up and running without issue for months.
If it is a trust agent, does it have ipa-server-trust-ad package installed?
Yes
Then enable debug in /etc/ipa/server.conf [global] debug = True
and restart httpd on the agent, then retry. I'd need to see error_log output.
On Mon, Jun 24, 2019 at 09:35:20AM -0400, Marc Boorshtein via FreeIPA-users wrote:
We added a new account to AD that has a domain trust with FreeIPA. This one user is having an issue where IPA can't find him. The user is in the same OU as other users that work fine. The user is unlocked (userAccountControl is 512) and the userprincipalname is set. When I try to add the user to an id view or an external group IPA gives me the error "trusted domain object not found" . Not really sure where to look next to figure out what's wrong. We see the user when we make LDAP calls to AD.
Hi,
the answer will be most probably in the SSSD logs on the IPA server.
Please try:
sss_debuglevel 9 sss_cache -E getent passwd ad_user@ad.domain sss_debuglevel 0 # or your default debug level
and send the sssd_nss.log and the domain log file.
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
HTH
bye, Sumit
Thanks Marc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Jun 24, 2019 at 10:20:13AM -0400, Marc Boorshtein via FreeIPA-users wrote:
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
Whats the RID attribute in AD?
Afaik there is no separate RID LDAP attribute, it is the last component of the objectSid.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 24 kesä 2019, Marc Boorshtein via FreeIPA-users wrote:
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
Whats the RID attribute in AD?
Just check the last component of the SID in AD. If you are using Active Directory Users and Computers snap-in, then enable 'Advanced features' and check 'Attribute Editor' in the user's properties, there will be 'ObjectSid' attribute.
Hi,
I have this problem, but i don´t know what is the las component of the SID, i have this one SID as example:
S-1-5-21-87479985-2381909852-2776750896-1101, the las component is last four numbers?
actually work for users existents in ad, but new user not find for the IPA
Thanks, John
On to, 14 loka 2021, John Tor via FreeIPA-users wrote:
Hi,
I have this problem, but i don´t know what is the las component of the SID, i have this one SID as example:
S-1-5-21-87479985-2381909852-2776750896-1101, the las component is last four numbers?
actually work for users existents in ad, but new user not find for the IPA
Yes, that is the last component after a dash (-).
See https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/78eb901... and the rest of MS-DTYP 2.4.2 section
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
I think we have a winner. RID > 200,000. How do we properly increase this limit? We tried increasing the id range in the freeipa ui from 200000 to 300000 for all of the domains but its not having an effect. Same symptoms.
Thanks Marc
On Mon, Jun 24, 2019 at 11:44:40AM -0400, Marc Boorshtein wrote:
Since it is a new user I wonder if maybe the RID is larger than 200000? For automatic id-mapping a range of 200000 IDs is used by default and if the RIDs become higher a new range should be added.
I think we have a winner. RID > 200,000. How do we properly increase this limit? We tried increasing the id range in the freeipa ui from 200000 to 300000 for all of the domains but its not having an effect. Same symptoms.
ah, sorry, I should have given some more details to 'a new range should be added'.
SSSD does not support to modify an id-range at runtime because this might change existing UIDs or GIDs. If you want to make the change effective you have to stop SSSD on each IPA client and server, remove the cache from /var/lib/sss/db, and start SSSD again. Then all IPA host will use the modified id-range.
But SSSD supports adding a new id-range with 'ipa idrange-add ....' the name should be unique, e.g. the name of the other range of the AD domain with a '_2' suffix. The --base-id can be directly on top of the end of the existing id-range, the --rid-base is 200000 and --dom-sid and --dom-name are the same as for the existing id-range.
HTH
bye, Sumit
Thanks Marc
Thanks Sumit,
But SSSD supports adding a new id-range with 'ipa idrange-add ....' the name should be unique, e.g. the name of the other range of the AD domain with a '_2' suffix. The --base-id can be directly on top of the end of the existing id-range, the --rid-base is 200000 and --dom-sid and --dom-name are the same as for the existing id-range.
When you say baseid can be directly on top of the end of the existing id range, does that mean it would be the baseid of the existing range + 200000?
On Mon, Jul 08, 2019 at 10:29:58AM -0400, Marc Boorshtein via FreeIPA-users wrote:
Thanks Sumit,
But SSSD supports adding a new id-range with 'ipa idrange-add ....' the name should be unique, e.g. the name of the other range of the AD domain with a '_2' suffix. The --base-id can be directly on top of the end of the existing id-range, the --rid-base is 200000 and --dom-sid and --dom-name are the same as for the existing id-range.
When you say baseid can be directly on top of the end of the existing id range, does that mean it would be the baseid of the existing range + 200000?
Hi,
yes, the range will include the baseid (typically ending with '0') and then then next 200000 IDs, so the last one will has a '9' at the end. The next free one is baseid+200000.
Btw, there are various checks to make sure a new idrange does not overlap with an existing one, 'ipa idrange-add' should return an error in this case.
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks Sumit. Once we created the new id range per your instructions it took a few minutes but the issue was resolved.
Thanks again!
On Tue, Jul 30, 2019 at 6:13 AM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Mon, Jul 08, 2019 at 10:29:58AM -0400, Marc Boorshtein via FreeIPA-users wrote:
Thanks Sumit,
But SSSD supports adding a new id-range with 'ipa idrange-add ....' the name should be unique, e.g. the name of the other range of the AD
domain
with a '_2' suffix. The --base-id can be directly on top of the end of the existing id-range, the --rid-base is 200000 and --dom-sid and --dom-name are the same as for the existing id-range.
When you say baseid can be directly on top of the end of the existing id range, does that mean it would be the baseid of the existing range +
200000?
Hi,
yes, the range will include the baseid (typically ending with '0') and then then next 200000 IDs, so the last one will has a '9' at the end. The next free one is baseid+200000.
Btw, there are various checks to make sure a new idrange does not overlap with an existing one, 'ipa idrange-add' should return an error in this case.
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
John Tor -
Marc Boorshtein -
Sumit Bose