On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users
> > Can you do a test on the server by calling
> > id username(a)ad.domain
> > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> > well?
> I uploaded these files to the same place as before - goo.gl/hiFHKE. They have
> SERVER prefix in their names.
> > In the id output all groups should have a GID and a name, if there are
> > groups with only a GID this might have caused the issue on the client as
> > well.
> This could be root cause of the issues with rules propagation, because:
> groups j...@td.mydomain.com
> j...@td.mydomain.com : j...@td.mydomain.com groups: cannot find name for
> group ID 752600513 752600513
yes, but I think this is only a side effect. SSSD cannot resolve a
global catalog server. Does
dig SRV _gc._tcp.td.mydomain.com
return anything when called on the IPA server?
> Interestingly, ipa group-find doesn't show a group with that id, nor do I
> recognize adding a group with such ID.
It is most probably the GID of the 'Domain Users' group of the AD
> I tried to resolve it by adding a group with such ID locally on the server,
> but it didn't change anything except for the result of groups command above.
Please remove the entry again, it might cause all kind of irritations.
> FreeIPA-users mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org