Trusted domain user UID changes overtime
Issue
User ID and group ID for AD trusted users changes intermittently on IPA clients:
# id testuser
uid=150204506(testuser@ad.trusted.domain) gid=150204506(testuser@ad.trusted.domain) groups=150204506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),150200513(domain users@ad.trusted.domain)
in cache:
# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
memberof: name=domain users@ad.trusted.domain,cn=groups,cn=ad.trusted.domain,cn=sysdb
initgrExpireTimestamp: 1613113202
uidNumber: 150204506
gidNumber: 150204506
lastUpdate: 1613107802
dataExpireTimestamp: 1613113202
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
VS
# id testuser
uid=1172004506(testuser@ad.trusted.domain) gid=1172004506(testuser@ad.trusted.domain) groups=1172004506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),1172000513(domain users@ad.trusted.domain)
in cache:
# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
initgrExpireTimestamp: 1613119202
uidNumber: 1172004506
gidNumber: 1172004506
lastUpdate: 1613113802
dataExpireTimestamp: 1613119202
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
As result, all UID
/GID
restrictions don't work properly.
Environment
RHEL
7+ client
IPA
4.2+ servers (multi-master replication environment)
ADTrust
setup
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.