IPA AD Trust - Missing ipaNTsecurityidentifier on IDM object leads to SSSD failures
Issue
- SSSD fails to resolve AD trust users or groups with errors about objectSIDString or SID objects
-
On the IPA server, the domain is marked offline with these errors:
[ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-3004117530-1356132377-40998655-2535))]. [sdap_id_op_destroy] (0x4000): releasing operation connection [ipa_initgr_get_overrides_step] (0x1000): Processing group 23/25 [ipa_initgr_get_overrides_step] (0x0040): The group name=idmgroup@idm.example.com,cn=groups,cn=idm.example.com,cn=sysdb has no UUID attribute objectSIDString, error! [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22]. [be_mark_dom_offline] (0x1000): Marking subdomain ad.domain offline [be_mark_subdom_offline] (0x1000): Marking subdomain ad.domain as inactive [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
-
On the IPA client the resolution fails
[ipa_s2n_save_objects] (0x0400): Processing group idmgroup@idm.example.com [ipa_s2n_save_objects] (0x0020): Cannot find SID of object with override. [ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed. [ipa_s2n_get_list_next] (0x0040): ipa_s2n_get_list_save_step failed. [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed. [sdap_id_op_done] (0x4000): releasing operation connection
Environment
- Red Hat Identity Management (IDM)
- IPA - AD Trust
- Red Hat Enterprise Linux 7, 8, 9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.