hi, posting back to the list.
Apparently the idm server cannot find a SID of a domain when trying to resolve the user account. It does find the user account, but there are sids coupled to the account correspondig to a domain wich cannot be resolved. It took me a while but the sid of that child domain is not the one not resolved. It turns out, the sid of the domain not resolving is the one of the idm realm itself., we have some idm groups mapped to the AD groups we allow in idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of the id groups, those are the not resolved groups. This is unexpected (to me at least). so we have this trust (verified on two different idm servers, same value): ipa trust-find --------------- 1 trust matched --------------- Realm name: domain.local Domain NetBIOS name: DOMAIN Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 but inside this idm domain, we have some idm posix groups with the ipantsecurityidentifier of the not resolvable domain, for instance: S-1-5-21-1214650608-3976977395-3073169311-101072 So basically, it is not matching because of this ipantsecurityidentifier, I think. I do not know how to fix this at this moment, or why it has happened. Any ideas?
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
