anybody? On Tue, Apr 2, 2024 at 1:53 PM Natxo Asenjo <[email protected]> wrote:
> hi, > > > > On Tue, Mar 26, 2024 at 2:47 PM Natxo Asenjo <[email protected]> > wrote: > >> hi, >> >> posting back to the list. >> >> Apparently the idm server cannot find a SID of a domain when trying to >> resolve the user account. It does find the user account, but there are >> sids coupled to the account correspondig to a domain wich cannot be >> resolved. >> >> It took me a while but the sid of that child domain is not the one not >> resolved. >> >> It turns out, the sid of the domain not resolving is the one of the idm >> realm itself., we have some idm groups mapped to the AD groups we allow in >> idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of >> the id groups, those are the not resolved groups. >> >> This is unexpected (to me at least). >> >> so we have this trust (verified on two different idm servers, same value): >> >> ipa trust-find >> --------------- >> 1 trust matched >> --------------- >> Realm name: domain.local >> Domain NetBIOS name: DOMAIN >> Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679 >> Trust type: Active Directory domain >> ---------------------------- >> Number of entries returned 1 >> >> but inside this idm domain, we have some idm posix groups with the >> ipantsecurityidentifier of the not resolvable domain, for instance: >> S-1-5-21-1214650608-3976977395-3073169311-101072 >> >> So basically, it is not matching because of this ipantsecurityidentifier, >> I think. >> >> I do not know how to fix this at this moment, or why it has happened. Any >> ideas? >> >> > > I wonder if somebody with more sssd knowlegde than me could push me in the > right direction. Is it maybe better to ask in the sssd mailing list? > > Regards, > > Natxo Asenjo > > -- > -- > Groeten, > natxo > -- -- Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
