[Freeipa-users] Re: IPA fails to find certain AD groups
On 08.06.23 07:52, Sumit Bose via FreeIPA-users wrote: Am Wed, Jun 07, 2023 at 05:10:15PM +0200 schrieb Ronald Wimmer via FreeIPA-users: On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote: On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote: When trying to add an AD group in an external group IPA fails to add certain groups. Error: "trusted domain object not found" What the AD objects that cannot be added have in common is that their RID (last component of SID) is over 2. Example group: 201455 Example user: 203766 So. I bet the ID ranges are set to small on the IPA side. Is this plausible? I's say yes... Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range First Posix ID of the range: 107380 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: Range type: Active Directory domain range Hi, yes, the RIDs over 200k are most probably the reason the objects are not seen. If you haven't started to change the idrange configuration I would suggest to add a second idrange for this domain instead of changing just the size of the range. The reason is the SSSD can add new idranges at runtime but a change in an existing idrange requires a restart with removing the cache. So just adding a new idrange will be less effort. Thanks for the input. I added another id range for that particular domain and everything works perfectly fine now. Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA fails to find certain AD groups
Am Wed, Jun 07, 2023 at 05:10:15PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote: > > On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote: > > > When trying to add an AD group in an external group IPA fails to add > > > certain groups. Error: "trusted domain object not found" > > > > What the AD objects that cannot be added have in common is that their > > RID (last component of SID) is over 2. > > > > Example group: 201455 > > Example user: 203766 > > > > So. I bet the ID ranges are set to small on the IPA side. > > > > Is this plausible? > > I's say yes... > > Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range > First Posix ID of the range: 107380 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: > Range type: Active Directory domain range Hi, yes, the RIDs over 200k are most probably the reason the objects are not seen. If you haven't started to change the idrange configuration I would suggest to add a second idrange for this domain instead of changing just the size of the range. The reason is the SSSD can add new idranges at runtime but a change in an existing idrange requires a restart with removing the cache. So just adding a new idrange will be less effort. HTH bye, Sumit > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA fails to find certain AD groups
On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote: On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote: When trying to add an AD group in an external group IPA fails to add certain groups. Error: "trusted domain object not found" What the AD objects that cannot be added have in common is that their RID (last component of SID) is over 2. Example group: 201455 Example user: 203766 So. I bet the ID ranges are set to small on the IPA side. Is this plausible? I's say yes... Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range First Posix ID of the range: 107380 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: Range type: Active Directory domain range ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA fails to find certain AD groups
On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote: When trying to add an AD group in an external group IPA fails to add certain groups. Error: "trusted domain object not found" What the AD objects that cannot be added have in common is that their RID (last component of SID) is over 2. Example group: 201455 Example user: 203766 So. I bet the ID ranges are set to small on the IPA side. Is this plausible? The remaining question is why a group that could already be added to IPA cannot be added anymore (RID 198387). The group is a domain local group. Maybe it could be added in the past due to a bug that is fixed now? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue