On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via FreeIPA-users
wrote:
> Hello,
>
> I manage two independant AD domains, and I set up a trust with my
> freeipa server (realm NAT.ABES.FR).
>
> The trust-add step is ok for both and trust are both seen as active
> directory trust:
>
> 2 trusts matched ----------------
>
> Realm name: ACME.local Domain NetBIOS name: ACME Domain Security
> Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active
> Directory domain
>
> Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security
> Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236
> ] - [ callto:2569697501 | 2569697501 ] Trust type:
> Active Directory domain
>
> Idranges are also ok:
>
> Range name: ACME.LOCAL_id_range First Posix ID of the range:
> 542000000 Number of IDs in the range: 200000 First RID of the
> corresponding RID range: 0 Domain SID of the trusted domain:
> S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory
> domain range
>
> Range name: LEVANT.ABES.FR_id_range First Posix ID of the range:
> 564400000 Number of IDs in the range: 200000 First RID of the
> corresponding RID range: 0 Domain SID of the trusted domain:
> S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [
> callto:2569697501 | 2569697501 ] Range type: Active Directory
> domain range
>
> I can get id with ACME.local but not on levant.abes.fr:
>
> id [email protected]
> uid=542001112( [email protected] ) gid=542001112( [email protected] )
> groups=542001112( [email protected] ),542000513(utilisateurs du
> [email protected] )
>
> id [email protected]
> id: ‘ [email protected] ’: no such user
>
> when debugging sssd, I find that the ldap filter query is not the same
> on both domains:
>
> ACME.local:
> [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
>
> levant.abes.fr:
> [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
>
>
>
> The ACME domain is on a single 2012R2 server
>
> The LEVANT domain is on an AD cluster with different AD versions: 2008,
> 2012R2, 2016
>
> SRV records are all ok from AD side and from ipaserver side.
>
> Some users on LEVANT hadpreviously some unix attributes that I deleted,
> and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or
> msSFU30MaxUidNumber as mentionned here
> [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD |
> https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
>
> I deleted, recreated trust, restarted sssd daemon, but the result is
> always the same, the ldap search on AD is always done with uidNumber
> instead of objectSID and no users of the trusted domain are found.
>
> What can I do more?
Hi,
did you remove SSSD's cache while restarting SSSD? Please try
sssctl cache-remove -ops
or if sssctl is not installed
systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start
sssd.service
HTH
bye,
Sumit
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
