IPA AD Trust - Missing ipaNTsecurityidentifier on IDM object leads to SSSD failures

Solution In Progress - Updated -

Issue

  • SSSD fails to resolve AD trust users or groups with errors about objectSIDString or SID objects
  • On the IPA server, the domain is marked offline with these errors:
[ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-3004117530-1356132377-40998655-2535))].
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ipa_initgr_get_overrides_step] (0x1000): Processing group 23/25
[ipa_initgr_get_overrides_step] (0x0040): The group name=idmgroup@idm.example.com,cn=groups,cn=idm.example.com,cn=sysdb has no UUID attribute objectSIDString, error!
[ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22].
[be_mark_dom_offline] (0x1000): Marking subdomain ad.domain offline
[be_mark_subdom_offline] (0x1000): Marking subdomain ad.domain as inactive
[ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.

** On the IPA client the resolution fails

[ipa_s2n_save_objects] (0x0400): Processing group idmgroup@idm.example.com
[ipa_s2n_save_objects] (0x0020): Cannot find SID of object with override.
[ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed.
[ipa_s2n_get_list_next] (0x0040): ipa_s2n_get_list_save_step failed.
[ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
[sdap_id_op_done] (0x4000): releasing operation connection

Environment

  • Identity Management
  • IPA - AD Trust
  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In