----- Original Message -----
> From: "Brian Cook" <bc...@redhat.com>
> To: freeipa-users@redhat.com
> Sent: Monday, December 10, 2012 3:30:38 AM
> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve
> I was able to get cross realm trust working with 2k8 R2 DC and RHEL
> 6.4 beta.
> I created an external group in IPA and then added member MSAD\Domain
> Users
> Now in the members of group external-test I have an unresolved sid
> instead of the name of the group.  How might I go about
> troubleshooting / fixing this?
It should be SID, not group/user name, that's by design, so there is nothing 
broken in your setup.
Since normal groups in IPA LDAP are using referential membership and all these 
trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference 
them by names directly but rather store SIDs only.

MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP 
server (and then winbindd on IPA server) for SID to name translation when 
parsing MS-PAC.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to