Am Wed, Jun 07, 2023 at 05:10:15PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote: > > On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote: > > > When trying to add an AD group in an external group IPA fails to add > > > certain groups. Error: "trusted domain object not found" > > > > What the AD objects that cannot be added have in common is that their > > RID (last component of SID) is over 20000. > > > > Example group: 201455 > > Example user: 203766 > > > > So. I bet the ID ranges are set to small on the IPA side. > > > > Is this plausible? > > I's say yes... > > Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range > First Posix ID of the range: 1073800000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: <undisclosed> > Range type: Active Directory domain range
Hi, yes, the RIDs over 200k are most probably the reason the objects are not seen. If you haven't started to change the idrange configuration I would suggest to add a second idrange for this domain instead of changing just the size of the range. The reason is the SSSD can add new idranges at runtime but a change in an existing idrange requires a restart with removing the cache. So just adding a new idrange will be less effort. HTH bye, Sumit > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
