On Mon, 16 Feb 2015, Nicolas Zin wrote:

we created a trust relationship with an AD, and we get this result:
# ipa trust-domainfind "company.com"
 Domain name: corp.company.com
 Domain NetBIOS name: COMPANY
 Domain Security Identifier: S-1-5-21-blabla-blabla-blabla
 Domain enabled: True

 Domain name: company.com
 Domain NetBIOS name: ROOT
 Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2
 Domain enabled: True

We manage to see the user from the root domain:
id au...@company.com

But cannot see a user from the child:
id anotheru...@corp.company.com

In the logs we see:
Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID
RID (496378) is larger than the size of the idrange given for this
domain (200000 ids by default).

You need to extend idrange for corp.company.com.

In Windows world RIDs grow monotonically -- if you delete user, its RID
is not reused. When there is large churn of users created/removed, RIDs
may go up quickly. For most mid-range companies defaults like IPA has
(200000 ids) are fine but if your situation is different, increase the

Note that idranges for trusted AD domains are not used by DNA plugin as
nothing is allocating in this space on the LDAP server side, rather SSSD
does allocation on its own, it just needs the idrange reserved.

For example,  'ipa idrange-mod <range-name> --size=1000000' to set the
idrange size to one million.  Range name for the trusted domain can be
seen with 'ipa idrange-find'.
/ Alexander Bokovoy

Attachment: pgpkgQ8kgHeFu.pgp
Description: PGP signature

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to