On to, 04 maalis 2021, Lachlan Simpson via FreeIPA-users wrote:
On Thu, Mar 4, 2021, at 09:17, Lachlan Simpson via FreeIPA-users wrote:
> The IPA domain has Primary RID base of 1000 but the Base ID is 709600000?
>
> I presumed the AD provided POSIX GID would come across per a regular
> Linux system gid and that would be fine within IPA. IIRC until I
> edited the range of the trust it was working after I had created the
> User Group in IPA with the GID 5000.
>
Sorry, to be clearer. When I first created the trust, I couldn't get id
or getent to work. I discovered that was because the IPA didn't know
about the POSIX GID coming from AD. So I created a group in IPA called
company_name with GID 5000 - the same as was coming from AD.
id and getent started working for users in that trust.
When I increased the idrange for the second trust, that's when smb
started giving errors instead of starting.
The SMB fallback group is in IPA and has to have SID assigned, from IPA
range. This is for the situation when a primary group of a user in IPA
does not have a SID or a user does not have a primary group pointed by
their GID. This is not for AD users.
An easier way to get it working is by returning back the fallback group
reference to the original SMB fallback group and make sure it has SID.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland