In the following output aduser1\@adlabs.com UID should be 1436801207 coming from ADLABS.COM_id_range, even after a new trusted range for the same domain is added. It gets UID 1557001207 assigned from the new added ad_range, which should not be the case.
[root@server1 ~]# /usr/bin/ipa trust-add --type=ad adlabs.com --admin administrator --password --range-size 2000 Active directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "adlabs.com" --------------------------------------------------- Realm name: adlabs.com Domain NetBIOS name: ADLABS Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@server1 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlabs.com Domain NetBIOS name: ADLABS Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@server1 ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: ADLABS.COM_id_range First Posix ID of the range: 1436800000 Number of IDs in the range: 2000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048 Range type: Active Directory domain range Range name: TESTRELM.COM_id_range First Posix ID of the range: 650800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@server1 ~]# id -u administrator@adlabs.com 1436800500 [root@server1 ~]# sleep 15; id -u aduser1@adlabs.com 1436801207 [root@server1 ~]# wbinfo -n aduser1@adlabs.com S-1-5-21-3069109027-1612402048-776712048-1207 SID_USER (1) [root@server1 ~]# ipa idrange-mod ADLABS.COM_id_range --range-size 1207 --------------------------------------- Modified ID range "ADLABS.COM_id_range" --------------------------------------- Range name: ADLABS.COM_id_range First Posix ID of the range: 1436800000 Number of IDs in the range: 1207 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048 Range type: Active Directory domain range [root@server1 ~]# wbinfo -n aduser2@adlabs.com S-1-5-21-3069109027-1612402048-776712048-1208 SID_USER (1) [root@server1 ~]# service sssd stop Redirecting to /bin/systemctl stop sssd.service [root@server1 ~]# rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* [root@server1 ~]# service sssd startRedirecting to /bin/systemctl start sssd.service [root@server1 ~]# id -u aduser1@adlabs.com id: aduser1@adlabs.com: no such user [root@server1 ~]# id -u aduser2@adlabs.com id: aduser2@adlabs.com: no such user [root@server1 ~]# ipa idrange-mod ADLABS.COM_id_range --range-size 1208 --------------------------------------- Modified ID range "ADLABS.COM_id_range" --------------------------------------- Range name: ADLABS.COM_id_range First Posix ID of the range: 1436800000 Number of IDs in the range: 1208 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048 Range type: Active Directory domain range [root@server1 ~]# sleep 15; id -u aduser1@adlabs.com <<<<<<<<<<<<<<<<<<< 1436801207 [root@server1 ~]# sleep 15; id -u aduser2@adlabs.com id: aduser2@adlabs.com: no such user [root@server1 ~]# /usr/bin/ipa idrange-add --dom-sid S-1-5-21-3069109027-1612402048-776712048 --rid-base 1208 --base-id 1557000000 --range-size 1210 ad_range ------------------------- Added ID range "ad_range" ------------------------- Range name: ad_range First Posix ID of the range: 1557000000 Number of IDs in the range: 1210 First RID of the corresponding RID range: 1208 Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048 Range type: Active Directory domain range [root@server1 ~]# id -u aduser1@adlabs.com1436801207 [root@server1 ~]# sleep 15; id -u aduser2@adlabs.com 1557001208 [root@server1 ~]# service sssd stop Redirecting to /bin/systemctl stop sssd.service [root@server1 ~]# rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* [root@server1 ~]# service sssd startRedirecting to /bin/systemctl start sssd.service [root@server1 ~]# id -u aduser1@adlabs.com <<<<<<<<<<<<<<<<<<<<< 1557001207 [root@server1 ~]# id -u aduser2@adlabs.com 1557001208 [root@server1 ~]# sleep 15; id -u aduser3@adlabs.com 1557001209
To fix this an extension to libsss_idmap is needed which is tracked in https://fedorahosted.org/sssd/ticket/1938 .
As per triage meeting, it is not clear if we will need this fix. As Sumit reported, if SSSD is fixed as it is planned to, this fix won't be needed. Assigning to Sumit to decide this.
Rename "trusts" component to "Trusts" to achieve correct sorting.
Committed to master:
18c5e48
912699f
fb62414
ad575f0
Metadata Update from @steeve: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.3 - 2013/06
Login to comment on this ticket.