On Fri, Nov 15, 2019 at 10:58:17AM -0000, Jamal Mahmoud wrote:
Ok, do you know if the LDAP attributes uidNumber and gidNumber are
replicated to the Global Catalog in your environment? By default they
are not.
You can check this manually as well with ldapsearch on the Global
Catalog port 3268:
ldapsearch -H ldap://your-ad-dc.your.ad.domain:3268 -b
'DC=your,DC=ad,DC=domain' samAccountName=groupname
If gidNumber is missing in the Global Catalog object please try if
setting
ad_enable_gc = False
in the [domain/...] section of sssd.conf makes the group lookup more
reliable.
bye,
Sumit
Hi Sumit,
I'm just after checking and you are correct! the ldap search through the Global
Catalog does not return any POSIX attributes, we're going to apply this patch and see
if the errors stop occurring. If this is the solution I owe you a drink (or 5).
Thanks,
Jamal