Trusted domain user UID changes overtime

Solution Verified - Updated -

Issue

User ID and group ID for AD trusted users changes intermittently on IPA clients:

# id testuser
uid=150204506(testuser@ad.trusted.domain) gid=150204506(testuser@ad.trusted.domain) groups=150204506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),150200513(domain users@ad.trusted.domain)

in cache:

# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
memberof: name=domain users@ad.trusted.domain,cn=groups,cn=ad.trusted.domain,cn=sysdb
initgrExpireTimestamp: 1613113202
uidNumber: 150204506
gidNumber: 150204506
lastUpdate: 1613107802
dataExpireTimestamp: 1613113202
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb

VS

# id testuser
uid=1172004506(testuser@ad.trusted.domain) gid=1172004506(testuser@ad.trusted.domain) groups=1172004506(testuser@ad.trusted.domain),422600024(group1@ipa.ad.trusted.domain),1172000513(domain users@ad.trusted.domain)

in cache:

# record 263
dn: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb
createTimestamp: 1612795935
fullName: Stig RSA
gecos: Stig RSA
homeDirectory: /home/AD/testuser
name: testuser@ad.trusted.domain
objectCategory: user
objectSIDString: S-1-5-21-572961103-336395298-3025320579-4506
userPrincipalName: testuser@ad.trusted.domain
originalDN: OU=Users,OU=domain,DC=ad,DC=trusted,DC=domain
nameAlias: testuser@ad.trusted.domain
isPosix: TRUE
initgrExpireTimestamp: 1613119202
uidNumber: 1172004506
gidNumber: 1172004506
lastUpdate: 1613113802
dataExpireTimestamp: 1613119202
memberof: name=group1@ipa.ad.trusted.domain,cn=groups,cn=ipa.ad.trusted.domain,cn=sysdb
distinguishedName: name=testuser@ad.trusted.domain,cn=users,cn=ad.trusted.domain,cn=sysdb

As result, all UID/GID restrictions don't work properly.

Environment

RHEL 7+ client
IPA 4.2+ servers (multi-master replication environment)
ADTrust setup

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In