----- Original Message -----
> From: "Brian Cook" <bc...@redhat.com>
> To: firstname.lastname@example.org
> Sent: Monday, December 10, 2012 3:30:38 AM
> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve
> I was able to get cross realm trust working with 2k8 R2 DC and RHEL
> 6.4 beta.
> I created an external group in IPA and then added member MSAD\Domain
> Now in the members of group external-test I have an unresolved sid
> instead of the name of the group. How might I go about
> troubleshooting / fixing this?
It should be SID, not group/user name, that's by design, so there is nothing
broken in your setup.
Since normal groups in IPA LDAP are using referential membership and all these
trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference
them by names directly but rather store SIDs only.
MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP
server (and then winbindd on IPA server) for SID to name translation when
/ Alexander Bokovoy
Freeipa-users mailing list