It works thank you so much!
Le 24/06/2020 à 12:44, Sumit Bose via FreeIPA-users a écrit :
On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via
FreeIPA-users wrote:
> Hello,
>
> I manage two independant AD domains, and I set up a trust with my
> freeipa server (realm NAT.ABES.FR).
>
> The trust-add step is ok for both and trust are both seen as active
> directory trust:
>
> 2 trusts matched ----------------
>
> Realm name: ACME.local Domain NetBIOS name: ACME Domain Security
> Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active
> Directory domain
>
> Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security
> Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [
callto:2569697501 | 2569697501 ] Trust type:
> Active Directory domain
>
> Idranges are also ok:
>
> Range name: ACME.LOCAL_id_range First Posix ID of the range:
> 542000000 Number of IDs in the range: 200000 First RID of the
> corresponding RID range: 0 Domain SID of the trusted domain:
> S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory
> domain range
>
> Range name: LEVANT.ABES.FR_id_range First Posix ID of the range:
> 564400000 Number of IDs in the range: 200000 First RID of the
> corresponding RID range: 0 Domain SID of the trusted domain:
> S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [
callto:2569697501 | 2569697501 ] Range type: Active Directory
> domain range
>
> I can get id with ACME.local but not on levant.abes.fr:
>
> id toto(a)ACME.local
> uid=542001112( toto(a)ACME.local ) gid=542001112( toto(a)ACME.local )
> groups=542001112( toto(a)ACME.local ),542000513(utilisateurs du
> domaine(a)ACME.local )
>
> id administrateur(a)levant.abes.fr
> id: ‘ administrateur(a)levant.abes.fr ’: no such user
>
> when debugging sssd, I find that the ldap filter query is not the same
> on both domains:
>
> ACME.local:
> [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))]
>
> levant.abes.fr:
>
[(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
>
>
> The ACME domain is on a single 2012R2 server
>
> The LEVANT domain is on an AD cluster with different AD versions: 2008,
> 2012R2, 2016
>
> SRV records are all ok from AD side and from ipaserver side.
>
> Some users on LEVANT hadpreviously some unix attributes that I deleted,
> and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or
> msSFU30MaxUidNumber as mentionned here
> [
https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD |
https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ]
>
> I deleted, recreated trust, restarted sssd daemon, but the result is
> always the same, the ldap search on AD is always done with uidNumber
> instead of objectSID and no users of the trusted domain are found.
>
> What can I do more?
Hi,
did you remove SSSD's cache while restarting SSSD? Please try
sssctl cache-remove -ops
or if sssctl is not installed
systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start
sssd.service
HTH
bye,
Sumit
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr