Good to know my setup is working, but for administration purposes displaying a 
SID in the GUI is as useless as displaying UID's with no user name.  SID's are 
not meant for human eyes.  Is there some issue with resolving it to the name 
and displaying the name instead?  Should I open an RFE?


On Dec 9, 2012, at 10:13 PM, Alexander Bokovoy <> wrote:

> ----- Original Message -----
>> From: "Brian Cook" <>
>> To:
>> Sent: Monday, December 10, 2012 3:30:38 AM
>> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve
>> I was able to get cross realm trust working with 2k8 R2 DC and RHEL
>> 6.4 beta.
>> I created an external group in IPA and then added member MSAD\Domain
>> Users
>> Now in the members of group external-test I have an unresolved sid
>> instead of the name of the group.  How might I go about
>> troubleshooting / fixing this?
> It should be SID, not group/user name, that's by design, so there is nothing 
> broken in your setup.
> Since normal groups in IPA LDAP are using referential membership and all 
> these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't 
> reference them by names directly but rather store SIDs only.
> MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP 
> server (and then winbindd on IPA server) for SID to name translation when 
> parsing MS-PAC.
> -- 
> / Alexander Bokovoy

Freeipa-users mailing list

Reply via email to