----- Original Message ----- > From: "Brian Cook" <[email protected]> > To: [email protected] > Sent: Monday, December 10, 2012 3:30:38 AM > Subject: [Freeipa-users] cross realm trust - SID doesn't resolve > > I was able to get cross realm trust working with 2k8 R2 DC and RHEL > 6.4 beta. > > I created an external group in IPA and then added member MSAD\Domain > Users > > Now in the members of group external-test I have an unresolved sid > instead of the name of the group. How might I go about > troubleshooting / fixing this? It should be SID, not group/user name, that's by design, so there is nothing broken in your setup. Since normal groups in IPA LDAP are using referential membership and all these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference them by names directly but rather store SIDs only.
MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
