On Thu, Mar 4, 2021, at 17:46, Alexander Bokovoy via FreeIPA-users wrote:
On to, 04 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
>
The SMB fallback group is in IPA and has to have SID assigned, from IPA
range. This is for the situation when a primary group of a user in IPA
does not have a SID or a user does not have a primary group pointed by
their GID. This is not for AD users.
An easier way to get it working is by returning back the fallback group
reference to the original SMB fallback group and make sure it has SID.
How do I determine the original samba fallback group? I have only added the single group
to IPA. The others are the defaults, so ipausers would be the default group? How do I
determine if an IPA group has a SID? I can see a
ipauniqueid when I run
ipa group-show ipausers --all
I understand the relationship between RID and SID. I'm less comfortable with my
understanding of POSIX GID and RID/SID, but I think I have it.
I note that one of my AD trusts doesn't have an idrange at all - why would one trust
not have a range? I presumed that step happens when creating the trust. The adtest trust
was the first trust added. Would that be causing the issue?
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: AD.COMPANY.COM_range
First Posix ID of the range: 1042800000
Number of IDs in the range: 5000000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1140405718-358989843-3445714273
Range type: Active Directory domain range
Range name: TEST.IPA.COMPANY.COM_range
First Posix ID of the range: 709600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
# ipa trust-find
----------------
2 trusts matched
----------------
Realm name:
ad.COMPANY.COM
Domain NetBIOS name: ADPROD
Domain Security Identifier: S-1-5-21-1140405718-358989843-3445714273
Trust type: Active Directory domain
UPN suffixes:
COMPANY.COM
Realm name:
adtest.COMPANY.COM
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-3854405848-1337145201-2106073647
Trust type: Active Directory domain
----------------------------
Number of entries returned 2
----------------------------
Cheers
L.