On 08.06.23 07:52, Sumit Bose via FreeIPA-users wrote:
Am Wed, Jun 07, 2023 at 05:10:15PM +0200 schrieb Ronald Wimmer via
FreeIPA-users:
On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote:
On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote:
When trying to add an AD group in an external group IPA fails to add
certain groups. Error: "trusted domain object not found"
What the AD objects that cannot be added have in common is that their
RID (last component of SID) is over 20000.
Example group: 201455
Example user: 203766
So. I bet the ID ranges are set to small on the IPA side.
Is this plausible?
I's say yes...
Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range
First Posix ID of the range: 1073800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: <undisclosed>
Range type: Active Directory domain range
Hi,
yes, the RIDs over 200k are most probably the reason the objects are not
seen. If you haven't started to change the idrange configuration I would
suggest to add a second idrange for this domain instead of changing just
the size of the range. The reason is the SSSD can add new idranges at
runtime but a change in an existing idrange requires a restart with
removing the cache. So just adding a new idrange will be less effort.
Thanks for the input. I added another id range for that particular
domain and everything works perfectly fine now.
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
