On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
I wonder if there is a way to create an AD trust where users would
maintain the uidNumber/gidNumber that are stored in AD.
Yes. It is all documented in RHEL IdM documentation.
I read on an older question on the nakive forum that if the trust-add
command finds users with uidNumbers, so those would be used. I tried,
but a random id-range is created every time.
Is there a smart way to actually preserve those uidNumbers from AD?
I guess, you did not specify the type of the range? If type of range is
not specified, we attempt to search on the forest root domain for signs
of use of SFU information in AD LDAP at
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$BASEDN.
If you have user domain somewhere else in the forest and users are not
part of the forest root domain, then this check will not find POSIX
identities.
# ipa trust-add --help|grep range-type
--range-type=['ipa-ad-trust', 'ipa-ad-trust-posix']
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland