[Freeipa-users] Re: Missing mandatory attribute ipaNTSecurityIdentifier.

Wed, 03 Mar 2021 14:18:43 -0800 

On Tue, Mar 2, 2021, at 23:35, Sumit Bose via FreeIPA-users wrote:
> On Wed, Feb 24, 2021 at 03:32:54PM +1100, Lachlan Simpson via FreeIPA-users 
> wrote:
> > On Tue, Feb 23, 2021, at 15:36, Lachlan Simpson via FreeIPA-users wrote:
> > > I am seeing the following in the samba logs:
> > > 
> > >   Missing mandatory attribute ipaNTSecurityIdentifier.
> > > [2021/02/23 14:57:23.345184,  0] ipa_sam.c:4950(pdb_init_ipasam)
> > >   Cannot find SID of fallback group.
> 
> thanks for you patience. It looks like there is an issue with the
> fallback group. Please check with
> 
>     ipa trustconfig-show
> 

No problems - I was just about to post to list asked about fallback groups. I 
was planning on working through the source first though, so I'm glad you posted.

[root@idm samba]# ipa trustconfig-show
  Domain: test.idm.company.com
  Security Identifier: S-1-5-21-2418255240-4279612882-1152719259
  NetBIOS name: TEST
  Domain GUID: b9e79f68-3f7f-4174-ba8f-2f9c864dccbc
  Fallback primary group: company_name
  IPA AD trust agents: idm.test.company.com
  IPA AD trust controllers: idm.test.company.com

> what is you fallback group and with
> 
>     ipa group-show --all 'Group Name'

[root@idm samba]# ipa group-show --all 'company_name'
  dn: cn=company_name,cn=groups,cn=accounts,dc=test,dc=company,dc=com
  Group name: company_name
  GID: 5000
  ipauniqueid: 886f69c4-3f2b-11eb-89aa-005056980f49
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, 
posixgroup

> if it has a SID assigned. If there is no SID, please check if the group
> has a GID from the id-range assigned to the IPA domain.

The IPA domain has Primary RID base of 1000 but the Base ID is 709600000?

I presumed the AD provided POSIX GID would come across per a regular Linux 
system gid and that would be fine within IPA. IIRC until I edited the range of 
the trust it was working after I had created the User Group in IPA with the GID 
5000.

Is it possible or smarter to reduce the IPA range to fit this GID or is it 
better to create the group id override?


L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to