Am Tue, May 11, 2021 at 02:28:49PM -0000 schrieb iulian roman via FreeIPA-users:
Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all
users for which I need to override attributes in Default Trust View)
and although everything works properly on both IdM server and replica,
I cannot query the users on the ipa clients. Any other users (which
are not part of the Default Trust View) are visible and groups
displayed correctly on ipa clients.
So far, I have removed cache on both ipa server and client, restarted
sssd , removed /var/lib/sss/db/* but no success. I have enabled
debugging as well for sss, nss , but nothing relevant . The odd thing
is that sometimes I could query some of the users for which override
was configured , but I do not know why (I tried to correlate with the
group membership, number of groups the user is member of, etc but
unsuccessfully ).
On the ipa clients the sssd version I use is 1.16.1 and on the ipa
server sssd version is 2.3.0 . Can that make a difference or be the
cause of the issue ?
Hi,
the typical reason for this behavior are primary GIDs which cannot be
resolved to a name. If you set the primary GID for a user in an
id-override this GID must belong to an existing group or must be the GID
in a group id-override. If you call 'getent group GID' is must return a
group.
HTH
bye,
Sumit
Any hint where I should look into would be really appreciated.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure