The setup: IPA Server 4.6.4-10.el7_6.2. with trust against Windows 2008 R2, IPA client 4.6.4-10.el7_6.2
The problem:
[root@rhelclient01 ~]# id test2 uid=1248201106(test2@myaddomain.de) gid=1248201106(test2@myaddomain.de) groups=1248201106(test2@myaddomain.de),1248200513(domain users@myaddomain.de)
When I put an ID view for that user in IPA and only put in the UID value it works fine, as well:
[root@rhelclient01 ~]# id test2 uid=1001(test2@myaddomain.de) gid=1248201106(test2@myaddomain.de) groups=1248201106(test2@myaddomain.de),1248200513(domain users@myaddomain.de)
But when I fill in the 1001 for the GID value in the user is not visible from the client anymore [root@rhelclient01 ~]# id test2 id: test2: no such user
In sssd logfiles I see in the good case: [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [test2] to IPA server
... and in the bad case: [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [S-1-5-21-653292258-51847207-622671684-1129] to IPA server
In summary: when the GID value is set in ID view, sssd tries to fetch the user by SID instead of username. This happens ONLY when GID value is set, all other ID view fields seems to work fine
Since literally everything regarding resolution of users and groups is done at SSSD side, please file the ticket there.
Metadata Update from @knuppes: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.