hi,
On Tue, Mar 26, 2024 at 2:47 PM Natxo Asenjo <[email protected]> wrote: > hi, > > posting back to the list. > > Apparently the idm server cannot find a SID of a domain when trying to > resolve the user account. It does find the user account, but there are > sids coupled to the account correspondig to a domain wich cannot be > resolved. > > It took me a while but the sid of that child domain is not the one not > resolved. > > It turns out, the sid of the domain not resolving is the one of the idm > realm itself., we have some idm groups mapped to the AD groups we allow in > idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of > the id groups, those are the not resolved groups. > > This is unexpected (to me at least). > > so we have this trust (verified on two different idm servers, same value): > > ipa trust-find > --------------- > 1 trust matched > --------------- > Realm name: domain.local > Domain NetBIOS name: DOMAIN > Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679 > Trust type: Active Directory domain > ---------------------------- > Number of entries returned 1 > > but inside this idm domain, we have some idm posix groups with the > ipantsecurityidentifier of the not resolvable domain, for instance: > S-1-5-21-1214650608-3976977395-3073169311-101072 > > So basically, it is not matching because of this ipantsecurityidentifier, > I think. > > I do not know how to fix this at this moment, or why it has happened. Any > ideas? > > I wonder if somebody with more sssd knowlegde than me could push me in the right direction. Is it maybe better to ask in the sssd mailing list? Regards, Natxo Asenjo -- -- Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
