It works thank you so much!
Le 24/06/2020 à 12:44, Sumit Bose via FreeIPA-users a écrit :
On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via FreeIPA-users
wrote:
Hello,
I manage two independant AD domains, and I set up a trust with my
freeipa server (realm NAT.ABES.FR).
The trust-add step is ok for both and trust are both seen as active
directory trust:
2 trusts matched ----------------
Realm name: ACME.local Domain NetBIOS name: ACME Domain Security
Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active
Directory domain
Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security
Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ]
- [ callto:2569697501 | 2569697501 ] Trust type:
Active Directory domain
Idranges are also ok:
Range name: ACME.LOCAL_id_range First Posix ID of the range:
542000000 Number of IDs in the range: 200000 First RID of the
corresponding RID range: 0 Domain SID of the trusted domain:
S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory
domain range
Range name: LEVANT.ABES.FR_id_range First Posix ID of the range:
564400000 Number of IDs in the range: 200000 First RID of the
corresponding RID range: 0 Domain SID of the trusted domain:
S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [
callto:2569697501 | 2569697501 ] Range type: Active Directory
domain range
I can get id with ACME.local but not on levant.abes.fr:
id [email protected]
uid=542001112( [email protected] ) gid=542001112( [email protected] )
groups=542001112( [email protected] ),542000513(utilisateurs du
[email protected] )
id [email protected]
id: ‘ [email protected] ’: no such user
when debugging sssd, I find that the ldap filter query is not the same
on both domains:
ACME.local:
[(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
levant.abes.fr:
[(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
The ACME domain is on a single 2012R2 server
The LEVANT domain is on an AD cluster with different AD versions: 2008,
2012R2, 2016
SRV records are all ok from AD side and from ipaserver side.
Some users on LEVANT hadpreviously some unix attributes that I deleted,
and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or
msSFU30MaxUidNumber as mentionned here
[ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD |
https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
I deleted, recreated trust, restarted sssd daemon, but the result is
always the same, the ldap search on AD is always done with uidNumber
instead of objectSID and no users of the trusted domain are found.
What can I do more?
Hi,
did you remove SSSD's cache while restarting SSSD? Please try
sssctl cache-remove -ops
or if sssctl is not installed
systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start
sssd.service
HTH
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
