[Freeipa-users] Re: AD trusted group incomplet list of members in client

Fri, 04 Dec 2020 10:19:28 -0800 

On Fri, Dec 04, 2020 at 02:05:58PM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi,
> 
> I found this: https://access.redhat.com/solutions/2261041
> 
> which looks like what I am seeing at my end. In /etc/krb5.conf in
> [libdefaults]
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   dns_canonicalize_hostname = false
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> and If I look at my user object in AD using ldapsearch, i see
> 
> primaryGroupID: 513
> 
> which looks like the right one for 'Domain Users'.

Hi,

can you send the server logs with debug_level=9 covering

    sss_cache -g 'Domain [email protected]'
    getent group 'Domain [email protected]'
    getent group 1576200513

the 'sss_cache' command should make sure the cached entry is expired and
has to be refreshed by the backend.

bye,
Sumit

> 
> 
> On Fri, Dec 4, 2020 at 12:42 PM Natxo Asenjo <[email protected]> wrote:
> 
> >
> > hi,
> >
> > let's see:
> >
> > server:
> > ~]$ getent group 'Domain [email protected]'
> > domain [email protected]:*:1576200513:[email protected]
> > ~]$ getent group 1576200513
> > domain [email protected]:*:1576200513:[email protected]
> >
> > I tried before and the list came back empty (no users, but gid could be
> > resolved though), now one user (there are at least a few hundreds).
> >
> >
> > idm client:
> > $ getent group 'Domain [email protected]'
> > $ getent group 1576200513
> >
> > So the client gets nothing back indeed. After logging in, I get an error
> > in the shell: "/usr/bin/id: cannot find name for group ID 1576200513", so
> > this seems related (was already wondering about this too).
> >
> > and in the attachment the sssd_domain log file.
> >
> > Thanks!
> >
> > --
> > regards,
> > Natxo
> >
> 
> 
> -- 
> --
> Groeten,
> natxo

> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to