Hello again, I have resolved the problem myself. Following https://access.redhat.com/solutions/659243 the sssd cache must be erased using: service sssd stop; rm -f /var/lib/sss/db/*; service sssd start
seems that the way I used "sss_cache -E" doesn't work on this. Thanks & Regards. From: SOLER SANGUESA Miguel Sent: Monday, February 04, 2019 12:46 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Subject: Error: "has a RID that is larger than the ldap_idmap_range_size" hello, I have a IDM cluster (Master + Replica) verison 4.5.4 on REHL 7.4. I have created a trust with an AD 2016 domain AD.COMPANY.ORG. Some users are working properly, but I created a new AD user and it is not working. Checking on the sssd logs I found: [sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue. [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-XXXXXXXXX-2674911608-YYYYYYYY-208726] to a UNIX ID [sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_user] (0x0020): Failed to save user [u...@ad.company.org] [sssd[be[ipa.AD.COMPANY.ORG]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. I've googled it and I found that the range for default has 200000 size, and as the last number of the SID (in this case 208726) is the used for the ID, it is bigger than the range so it is normal the error. The problem is that I have modified the range size: # ipa idrange-mod --range-size=600000 Range name: AD.COMPANY.ORG_id_range ------------------------------------------- Modified ID range "AD.COMPANY.ORG_id_range" ------------------------------------------- Range name: AD.COMPANY.ORG_id_range First Posix ID of the range: 1467600000 Number of IDs in the range: 600000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-185866794-2674911608-285463921 Range type: Active Directory domain range I have restarted IPA service, reset sssd cache and I get the same error. Any idea why it is still failling? Thanks & Regards.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
