Our production IPA servers are currently at
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64. (Planning is
underway to migrate to new RHEL 9.3 servers.) We have a 1-way trust
established with AD. All active users are in AD with the POSIX attributes
defined. Overall, this has worked well. However, lately we have been seeing
more incidents where IPA periodically marks the domains in the AD forest as
Disabled, and then accounts cannot get resolved. Not all AD groups have
gidNumber defined, but those groups that are used in the IPA environment
do. I have noticed that some users in these POSIX AD groups do not have the
POSIX attributes. I have a couple broader questions I've never really been
entirely certain about and would like clarification if possible.
1. Is IPA "OK" with some AD groups not having gidNumber defined? It's my
understanding that IPA will just ignore these groups, but I just wanted to
confirm that. I ask because I see in the IPA logs, it is continually
complaining about some AD groups that happen to not have a gidNumber, and I
thought IPA would just ignore these.
2. If an AD group does have gidNumber defined, how well will IPA handle any
group members without POSIX attributes? Will IPA just ignore these users,
or will it be a more serious problem?
3. What's the best way to determine why IPA marks an AD domain as
"Disabled"? We see this frequently happen. Often it will shortly afterward
flip back to "Active", but sometimes that takes much longer. Obviously, if
they are disabled too long, then AD accounts cannot be resolved if they are
no longer in the SSSD cache.
4. Does "Domain resolution order" need to contain *all* the domains in the
AD forest, or only those domains with actual user accounts? I ask because I
see IPA trying all the discovered domains and I know for a fact that those
users/groups are not in those domains.
Thanks,
Amos
Show replies by date