On Thu, Mar 4, 2021, at 17:46, Alexander Bokovoy via FreeIPA-users wrote:
On to, 04 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
>
The SMB fallback group is in IPA and has to have SID assigned, from IPA
range. This is for the situation when a primary group of a user in IPA
does not have a SID or a user does not have a primary group pointed by
their GID. This is not for AD users.

An easier way to get it working is by returning back the fallback group
reference to the original SMB fallback group and make sure it has SID.

How do I determine the original samba fallback group? I have only added the single group to IPA. The others are the defaults, so ipausers would be the default group? How do I determine if an IPA group has a SID? I can see a
ipauniqueid when I run

ipa group-show ipausers --all

I understand the relationship between RID and SID. I'm less comfortable with my understanding of POSIX GID and RID/SID, but I think I have it.

I note that one of my AD trusts doesn't have an idrange at all - why would one trust not have a range? I presumed that step happens when creating the trust. The adtest trust was the first trust added. Would that be causing the issue?

# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: AD.COMPANY.COM_range
  First Posix ID of the range: 1042800000
  Number of IDs in the range: 5000000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1140405718-358989843-3445714273
  Range type: Active Directory domain range

  Range name: TEST.IPA.COMPANY.COM_range
  First Posix ID of the range: 709600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

# ipa trust-find
----------------
2 trusts matched
----------------
  Realm name: ad.COMPANY.COM
  Domain NetBIOS name: ADPROD
  Domain Security Identifier: S-1-5-21-1140405718-358989843-3445714273
  Trust type: Active Directory domain
  UPN suffixes: COMPANY.COM

  Realm name: adtest.COMPANY.COM
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-3854405848-1337145201-2106073647
  Trust type: Active Directory domain
----------------------------
Number of entries returned 2
----------------------------

Cheers
L.