On Tue, Mar 2, 2021, at 23:35, Sumit Bose via FreeIPA-users wrote:
On Wed, Feb 24, 2021 at 03:32:54PM +1100, Lachlan Simpson via FreeIPA-users wrote:
> On Tue, Feb 23, 2021, at 15:36, Lachlan Simpson via FreeIPA-users wrote:
> > I am seeing the following in the samba logs:
> >
> > Missing mandatory attribute ipaNTSecurityIdentifier.
> > [2021/02/23 14:57:23.345184, 0] ipa_sam.c:4950(pdb_init_ipasam)
> > Cannot find SID of fallback group.
thanks for you patience. It looks like there is an issue with the
fallback group. Please check with
ipa trustconfig-show
No problems - I was just about to post to list asked about fallback groups. I was planning on working through the source first though, so I'm glad you posted.
[root@idm samba]# ipa trustconfig-show
Domain: test.idm.company.com
Security Identifier: S-1-5-21-2418255240-4279612882-1152719259
NetBIOS name: TEST
Domain GUID: b9e79f68-3f7f-4174-ba8f-2f9c864dccbc
Fallback primary group: company_name
IPA AD trust agents: idm.test.company.com
IPA AD trust controllers: idm.test.company.com
what is you fallback group and with
ipa group-show --all 'Group Name'
[root@idm samba]# ipa group-show --all 'company_name'
dn: cn=company_name,cn=groups,cn=accounts,dc=test,dc=company,dc=com
Group name: company_name
GID: 5000
ipauniqueid: 886f69c4-3f2b-11eb-89aa-005056980f49
objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup
if it has a SID assigned. If there is no SID, please check if the group
has a GID from the id-range assigned to the IPA domain.
The IPA domain has Primary RID base of 1000 but the Base ID is 709600000?
I presumed the AD provided POSIX GID would come across per a regular Linux system gid and that would be fine within IPA. IIRC until I edited the range of the trust it was working after I had created the User Group in IPA with the GID 5000.
Is it possible or smarter to reduce the IPA range to fit this GID or is it better to create the group id override?
L.