[Freeipa-users] cross realm trust - SID doesn't resolve
Brian Cook
bcook at redhat.com
Mon Dec 10 07:04:40 UTC 2012
Good to know my setup is working, but for administration purposes displaying a SID in the GUI is as useless as displaying UID's with no user name. SID's are not meant for human eyes. Is there some issue with resolving it to the name and displaying the name instead? Should I open an RFE?
Brian
On Dec 9, 2012, at 10:13 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> ----- Original Message -----
>> From: "Brian Cook" <bcook at redhat.com>
>> To: freeipa-users at redhat.com
>> Sent: Monday, December 10, 2012 3:30:38 AM
>> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve
>>
>> I was able to get cross realm trust working with 2k8 R2 DC and RHEL
>> 6.4 beta.
>>
>> I created an external group in IPA and then added member MSAD\Domain
>> Users
>>
>> Now in the members of group external-test I have an unresolved sid
>> instead of the name of the group. How might I go about
>> troubleshooting / fixing this?
> It should be SID, not group/user name, that's by design, so there is nothing broken in your setup.
> Since normal groups in IPA LDAP are using referential membership and all these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference them by names directly but rather store SIDs only.
>
> MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC.
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list