Hello, I manage two independant AD domains, and I set up a trust with my freeipa server (realm NAT.ABES.FR).
The trust-add step is ok for both and trust are both seen as active directory trust: 2 trusts matched ---------------- Realm name: ACME.local Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active Directory domain Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Trust type: Active Directory domain Idranges are also ok: Range name: ACME.LOCAL_id_range First Posix ID of the range: 542000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory domain range Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: 564400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Range type: Active Directory domain range I can get id with ACME.local but not on levant.abes.fr: id toto@ACME.local uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) groups=542001112( toto@ACME.local ),542000513(utilisateurs du domaine@ACME.local ) id administrat...@levant.abes.fr id: ‘ administrat...@levant.abes.fr ’: no such user when debugging sssd, I find that the ldap filter query is not the same on both domains: ACME.local: [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))] levant.abes.fr: [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] The ACME domain is on a single 2012R2 server The LEVANT domain is on an AD cluster with different AD versions: 2008, 2012R2, 2016 SRV records are all ok from AD side and from ipaserver side. Some users on LEVANT hadpreviously some unix attributes that I deleted, and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or msSFU30MaxUidNumber as mentionned here [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ] I deleted, recreated trust, restarted sssd daemon, but the result is always the same, the ldap search on AD is always done with uidNumber instead of objectSID and no users of the trusted domain are found. What can I do more?
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
