On Fri, Nov 15, 2019 at 10:58:17AM -0000, Jamal Mahmoud wrote:
Ok, do you know if the LDAP attributes uidNumber and gidNumber are replicated to the Global Catalog in your environment? By default they are not.
You can check this manually as well with ldapsearch on the Global Catalog port 3268:
ldapsearch -H ldap://your-ad-dc.your.ad.domain:3268 -b
'DC=your,DC=ad,DC=domain' samAccountName=groupname
If gidNumber is missing in the Global Catalog object please try if setting
ad_enable_gc = False
in the [domain/...] section of sssd.conf makes the group lookup more reliable.
bye, Sumit
Hi Sumit,
I'm just after checking and you are correct! the ldap search through the Global Catalog does not return any POSIX attributes, we're going to apply this patch and see if the errors stop occurring. If this is the solution I owe you a drink (or 5).
Thanks, Jamal