On Thu, Mar 4, 2021, at 17:46, Alexander Bokovoy via FreeIPA-users wrote:
> On to, 04 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
> >
> The SMB fallback group is in IPA and has to have SID assigned, from IPA
> range. This is for the situation when a primary group of a user in IPA
> does not have a SID or a user does not have a primary group pointed by
> their GID. This is not for AD users.
>
> An easier way to get it working is by returning back the fallback group
> reference to the original SMB fallback group and make sure it has SID.
How do I determine the original samba fallback group? I have only added the
single group to IPA. The others are the defaults, so ipausers would be the
default group? How do I determine if an IPA group has a SID? I can see a
ipauniqueid when I run
ipa group-show ipausers --all
I understand the relationship between RID and SID. I'm less comfortable with my
understanding of POSIX GID and RID/SID, but I think I have it.
I note that one of my AD trusts doesn't have an idrange at all - why would one
trust not have a range? I presumed that step happens when creating the trust.
The adtest trust was the first trust added. Would that be causing the issue?
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: AD.COMPANY.COM_range
First Posix ID of the range: 1042800000
Number of IDs in the range: 5000000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1140405718-358989843-3445714273
Range type: Active Directory domain range
Range name: TEST.IPA.COMPANY.COM_range
First Posix ID of the range: 709600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
# ipa trust-find
----------------
2 trusts matched
----------------
Realm name: ad.COMPANY.COM
Domain NetBIOS name: ADPROD
Domain Security Identifier: S-1-5-21-1140405718-358989843-3445714273
Trust type: Active Directory domain
UPN suffixes: COMPANY.COM
Realm name: adtest.COMPANY.COM
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-3854405848-1337145201-2106073647
Trust type: Active Directory domain
----------------------------
Number of entries returned 2
----------------------------
Cheers
L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
