[Freeipa-users] cross realm trust - SID doesn't resolve
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 10 06:13:29 UTC 2012
----- Original Message -----
> From: "Brian Cook" <bcook at redhat.com>
> To: freeipa-users at redhat.com
> Sent: Monday, December 10, 2012 3:30:38 AM
> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve
>
> I was able to get cross realm trust working with 2k8 R2 DC and RHEL
> 6.4 beta.
>
> I created an external group in IPA and then added member MSAD\Domain
> Users
>
> Now in the members of group external-test I have an unresolved sid
> instead of the name of the group. How might I go about
> troubleshooting / fixing this?
It should be SID, not group/user name, that's by design, so there is nothing broken in your setup.
Since normal groups in IPA LDAP are using referential membership and all these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference them by names directly but rather store SIDs only.
MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list