Trusted domain user UID changes overtime

Solution Verified - Updated -

Issue

User ID and group ID for AD trusted users changes intermittently on IPA clients:

# id testuser
uid=150204506(testuser@ad.trusted.domain) gid=150204506(testuser@ad.trusted.domain) groups=150204506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),150200513(domain users@ad.trusted.domain)

in cache:

# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
memberof: name=domain users@ad.trusted.domain,cn=groups,cn=ad.trusted.domain,cn=sysdb
initgrExpireTimestamp: 1613113202
uidNumber: 150204506
gidNumber: 150204506
lastUpdate: 1613107802
dataExpireTimestamp: 1613113202
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb

VS

# id testuser
uid=1172004506(testuser@ad.trusted.domain) gid=1172004506(testuser@ad.trusted.domain) groups=1172004506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),1172000513(domain users@ad.trusted.domain)

in cache:

# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
initgrExpireTimestamp: 1613119202
uidNumber: 1172004506
gidNumber: 1172004506
lastUpdate: 1613113802
dataExpireTimestamp: 1613119202
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb

As result, all UID/GID restrictions don't work properly.

Environment

RHEL 7+ client
IPA 4.2+ servers (multi-master replication environment)
ADTrust setup

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content