On 08.06.23 07:52, Sumit Bose via FreeIPA-users wrote:
Am Wed, Jun 07, 2023 at 05:10:15PM +0200 schrieb Ronald Wimmer via
FreeIPA-users:
> On 07.06.23 17:07, Ronald Wimmer via FreeIPA-users wrote:
>> On 07.06.23 14:27, Ronald Wimmer via FreeIPA-users wrote:
>>> When trying to add an AD group in an external group IPA fails to add
>>> certain groups. Error: "trusted domain object not found"
>>
>> What the AD objects that cannot be added have in common is that their
>> RID (last component of SID) is over 20000.
>>
>> Example group: 201455
>> Example user: 203766
>>
>> So. I bet the ID ranges are set to small on the IPA side.
>>
>> Is this plausible?
>
> I's say yes...
>
> Range name: SOMEDOMAIN.MYDOMAIN.AT_id_range
> First Posix ID of the range: 1073800000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: <undisclosed>
> Range type: Active Directory domain range
Hi,
yes, the RIDs over 200k are most probably the reason the objects are not
seen. If you haven't started to change the idrange configuration I would
suggest to add a second idrange for this domain instead of changing just
the size of the range. The reason is the SSSD can add new idranges at
runtime but a change in an existing idrange requires a restart with
removing the cache. So just adding a new idrange will be less effort.
Thanks for the input. I added another id range for that particular
domain and everything works perfectly fine now.
Cheers,
Ronald