[Freeipa-users] Re: ERR: ID value too large

[Alexander Bokovoy via FreeIPA-users]

On ke, 08 elo 2018, Роман Гинович via FreeIPA-users wrote:

Yeah, i'm found it!

nsslapd-errorlog-level: 81920

[08/Aug/2018:14:48:36.815877034 +0300] - DEBUG - ipa-sidgen-postop - Found 
domain SID [S-1-5-21-3815719817-1094829178-2612344331].
[08/Aug/2018:14:48:37.775597841 +0300] - DEBUG - ipa-sidgen-postop - Trying to 
add SID for [cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config].
[08/Aug/2018:14:48:37.819957874 +0300] - DEBUG - ipa-sidgen-postop - 
[cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config] does not have Posix IDs, 
nothing to do.
[08/Aug/2018:14:48:40.810439175 +0300] - ERR - sidgen_task_thread - [file 
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[08/Aug/2018:14:48:40.864083206 +0300] - DEBUG - ipa-sidgen-postop - Base DN: 
[dc=domain], Filter: 
[(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))(|(objectclass=posixaccount)(objectclass=posixgroup)(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))].
[08/Aug/2018:14:48:41.935631916 +0300] - DEBUG - ipa-sidgen-postop - Trying to 
add SID for [uid=bad_user_here,cn=staged 
users,cn=accounts,cn=provisioning,dc=domain].
[08/Aug/2018:14:48:41.976041848 +0300] - ERR - find_sid_for_ldap_entry - [file 
ipa_sidgen_common.c, line 483]: ID value too large.
[08/Aug/2018:14:48:42.226947787 +0300] - ERR - do_work - [file 
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[08/Aug/2018:14:48:42.644938556 +0300] - DEBUG - ipa-sidgen-postop - do_work 
finished with [19].
[08/Aug/2018:14:48:42.686593559 +0300] - ERR - sidgen_task_thread - [file 
ipa_sidgen_task.c, line 199]: Sidgen task finished [19].

ldapsearch -D "cn=Directory Manager" -W -b cn=provisioning,dc=aim 'uid=bad_user_here' | 
grep -E "uidN|gidN"
uidNumber: -1
gidNumber: -1

After remove his, all done ok.

So, this is a user from the staged area, right?. It looks like we need
to fix sidgen plugin to ignore users in the staged area. Additionally,
we need to run sid generation when users moved from the staging to
production.

Could you please open an issue at pagure?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YISYXZ33J2SJQFJS5HUC5PY7GBJLBHLQ/