Am Tue, May 11, 2021 at 02:28:49PM -0000 schrieb iulian roman via FreeIPA-users:
Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which are not part of the Default Trust View) are visible and groups displayed correctly on ipa clients. So far, I have removed cache on both ipa server and client, restarted sssd , removed /var/lib/sss/db/* but no success. I have enabled debugging as well for sss, nss , but nothing relevant . The odd thing is that sometimes I could query some of the users for which override was configured , but I do not know why (I tried to correlate with the group membership, number of groups the user is member of, etc but unsuccessfully ). On the ipa clients the sssd version I use is 1.16.1 and on the ipa server sssd version is 2.3.0 . Can that make a difference or be the cause of the issue ?
Hi,
the typical reason for this behavior are primary GIDs which cannot be resolved to a name. If you set the primary GID for a user in an id-override this GID must belong to an existing group or must be the GID in a group id-override. If you call 'getent group GID' is must return a group.
HTH
bye, Sumit
Any hint where I should look into would be really appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure