On Аўт, 02 кра 2024, Natxo Asenjo wrote:
hi,
On Tue, Mar 26, 2024 at 2:47 PM Natxo Asenjo <natxo.asenjo(a)gmail.com> wrote:
> hi,
>
> posting back to the list.
>
> Apparently the idm server cannot find a SID of a domain when trying to
> resolve the user account. It does find the user account, but there are
> sids coupled to the account correspondig to a domain wich cannot be
> resolved.
>
> It took me a while but the sid of that child domain is not the one not
> resolved.
>
> It turns out, the sid of the domain not resolving is the one of the idm
> realm itself., we have some idm groups mapped to the AD groups we allow in
> idm for rbac, and if I look at the ipaNTSecurityIdentifier attributes of
> the id groups, those are the not resolved groups.
>
> This is unexpected (to me at least).
>
> so we have this trust (verified on two different idm servers, same value):
>
> ipa trust-find
> ---------------
> 1 trust matched
> ---------------
> Realm name: domain.local
> Domain NetBIOS name: DOMAIN
> Domain Security Identifier: S-1-5-21-1416133915-1866970209-3316290679
> Trust type: Active Directory domain
> ----------------------------
> Number of entries returned 1
>
> but inside this idm domain, we have some idm posix groups with the
> ipantsecurityidentifier of the not resolvable domain, for instance:
> S-1-5-21-1214650608-3976977395-3073169311-101072
>
> So basically, it is not matching because of this ipantsecurityidentifier,
> I think.
>
> I do not know how to fix this at this moment, or why it has happened. Any
> ideas?
>
>
I wonder if somebody with more sssd knowlegde than me could push me in the
right direction. Is it maybe better to ask in the sssd mailing list?
No idea why is that. Is the SID of IPA domain
S-1-5-21-1214650608-3976977395-3073169311? If not, please replace SIDs
of the IPA groups that have S-1-5-21-1214650608-3976977395-3073169311 in
their ipaNTSecurityIdentifier by the proper IPA domain SID. You probably
need to construct an LDIF file that does this modification.
Regards,
Natxo Asenjo
--
--
Groeten,
natxo
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland