On pe, 05 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
On Thu, Mar 4, 2021, at 17:46, Alexander Bokovoy via FreeIPA-users wrote:
On to, 04 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
>
The SMB fallback group is in IPA and has to have SID assigned, from IPA
range. This is for the situation when a primary group of a user in IPA
does not have a SID or a user does not have a primary group pointed by
their GID. This is not for AD users.
An easier way to get it working is by returning back the fallback group
reference to the original SMB fallback group and make sure it has SID.
How do I determine the original samba fallback group? I have only added
the single group to IPA. The others are the defaults, so ipausers would
be the default group? How do I determine if an IPA group has a SID? I
can see a ipauniqueid when I run
ipa group-show ipausers --all
The default IPA fallback group for SMB operations is named
'Default SMB Group'
ipa group-show 'Default SMB Group' --all
will show the group and its SID (ipantsecurityidentifier attribute).
The SID should be allocated under the IPA domain SID which you'll see in
'ipa trustconfig-show' output.
I understand the relationship between RID and SID. I'm less comfortable
with my understanding of POSIX GID and RID/SID, but I think I have it.
I note that one of my AD trusts doesn't have an idrange at all - why
would one trust not have a range? I presumed that step happens when
creating the trust. The adtest trust was the first trust added. Would
that be causing the issue?
The ID range is created automatically when trust is added. It is
interesting that in the output below you have wrong range names because
the ranges created by 'ipa trust-add' end with _id_range suffix, not
just '_range'. Is this part of your data scrubbing?
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: AD.COMPANY.COM_range
First Posix ID of the range: 1042800000
Number of IDs in the range: 5000000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1140405718-358989843-3445714273
Range type: Active Directory domain range
Range name: TEST.IPA.COMPANY.COM_range
First Posix ID of the range: 709600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
# ipa trust-find
----------------
2 trusts matched
----------------
Realm name: ad.COMPANY.COM
Domain NetBIOS name: ADPROD
Domain Security Identifier: S-1-5-21-1140405718-358989843-3445714273
Trust type: Active Directory domain
UPN suffixes: COMPANY.COM
Realm name: adtest.COMPANY.COM
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-3854405848-1337145201-2106073647
Trust type: Active Directory domain
----------------------------
Number of entries returned 2
----------------------------
Cheers
L.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
