On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to
apply
posix attributes directly in AD, then I don't need FreeIPA, do I...
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity...
Can you show details about your trust configuration?
# ipa trust-show my.ad.domain
# ipa idrange-show MY.AD.DOMAIN_id_range
My hunch is that you established a trust with an ID range that defines
you have POSIX IDs in your Active Directory. Thus, SSSD assumes you have
allocated uidNumber/gidNumber yourself in user/group entries in AD LDAP.
If you definitely don't have POSIX IDs in AD, then it might be that you
had at some point NIS integration enabled on AD side and thus 'ipa
trust-add' detected appropriate settings for this mode in AD and
configured the ID range accordingly.
It is obvious that FreeIPA integration with AD is not production
ready,
and probably never will be for numerous reasons, just like samba...
It does not help
to throw accusations without providing any details on
how you configured a system.
--
/ Alexander Bokovoy