On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users 
wrote:
> > Can you do a test on the server by calling
> > 
> >     id username(a)ad.domain
> > 
> > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> > well?
> I uploaded these files to the same place as before - goo.gl/hiFHKE. They have 
> SERVER prefix in their names.
> 
> > In the id output all groups should have a GID and a name, if there are
> > groups with only a GID this might have caused the issue on the client as
> > well.
> 
> This could be root cause of the issues with rules propagation, because:
> groups j...@td.mydomain.com
> j...@td.mydomain.com : j...@td.mydomain.com groups: cannot find name for 
> group ID 752600513 752600513

yes, but I think this is only a side effect. SSSD cannot resolve a
global catalog server. Does

    dig SRV _gc._tcp.td.mydomain.com

return anything when called on the IPA server?

> 
> Interestingly, ipa group-find doesn't show a group with that id, nor do I 
> recognize adding a group with such ID. 

It is most probably the GID of the 'Domain Users' group of the AD
domain.

> I tried to resolve it by adding a group with such ID locally on the server, 
> but it didn't change anything except for the result of groups command above.

Please remove the entry again, it might cause all kind of irritations.

bye,
Sumit

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to