Am Tue, May 11, 2021 at 02:28:49PM -0000 schrieb iulian roman via FreeIPA-users: > Hello everybody, > > I try to override some uid and gid for AD users in Idm (I added all > users for which I need to override attributes in Default Trust View) > and although everything works properly on both IdM server and replica, > I cannot query the users on the ipa clients. Any other users (which > are not part of the Default Trust View) are visible and groups > displayed correctly on ipa clients. > So far, I have removed cache on both ipa server and client, restarted > sssd , removed /var/lib/sss/db/* but no success. I have enabled > debugging as well for sss, nss , but nothing relevant . The odd thing > is that sometimes I could query some of the users for which override > was configured , but I do not know why (I tried to correlate with the > group membership, number of groups the user is member of, etc but > unsuccessfully ). > On the ipa clients the sssd version I use is 1.16.1 and on the ipa > server sssd version is 2.3.0 . Can that make a difference or be the > cause of the issue ?
Hi, the typical reason for this behavior are primary GIDs which cannot be resolved to a name. If you set the primary GID for a user in an id-override this GID must belong to an existing group or must be the GID in a group id-override. If you call 'getent group GID' is must return a group. HTH bye, Sumit > > Any hint where I should look into would be really appreciated. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure