On Fri, Aug 23, 2013 at 8:29 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:

Do you run AD server in a trusted setup? Is it possible this group comes
from another AD domain?

No. We have a single domain. No trusts or subdomains.

Can you check if searching the SID in the Global Catalog works (just
search port 3268)?
# ldapsearch -H ldap://milkdud.TESTDOMAIN.local:3268 -Y GSSAPI -N -b "dc=testdomain,dc=local" \
"(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"

Here are the results of that query:

USER@HOST:~$ ldapsearch -H ldap://milkdud.TESTDOMAIN.local:3268 -Y GSSAPI -N -b "dc=testdomain,dc=local" "(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"SASL/GSSAPI authentication started
SASL username: USER@TESTDOMAIN.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=wysu,dc=local> with scope subtree
# filter: (&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1

Also, I've actually not seen the original error in a few days and have failed to reproduce it the few times I tried just now, so perhaps this was a fluke? The only thing that has happened since then has been a reboot or two of each domain controller. No changes to AD or any of the SIDs in question. I'd be okay with shelving this issue until it rears its head again. If any curious party wants me to experiment some more, I'd be happy to oblige, I'll just need some direction because I'm stumped. Otherwise, I'll monitor the issue for a few more days and post back with one more follow up if I can't reproduce it.

Thanks.

-Chris