On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users wrote:
Can you do a test on the server by calling
id username(a)ad.domain
and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as well?
I uploaded these files to the same place as before - goo.gl/hiFHKE. They have SERVER prefix in their names.
In the id output all groups should have a GID and a name, if there are groups with only a GID this might have caused the issue on the client as well.
This could be root cause of the issues with rules propagation, because: groups jdoe@td.mydomain.com jdoe@td.mydomain.com : jdoe@td.mydomain.com groups: cannot find name for group ID 752600513 752600513
yes, but I think this is only a side effect. SSSD cannot resolve a global catalog server. Does
dig SRV _gc._tcp.td.mydomain.com
return anything when called on the IPA server?
Interestingly, ipa group-find doesn't show a group with that id, nor do I recognize adding a group with such ID.
It is most probably the GID of the 'Domain Users' group of the AD domain.
I tried to resolve it by adding a group with such ID locally on the server, but it didn't change anything except for the result of groups command above.
Please remove the entry again, it might cause all kind of irritations.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org