We have a trust relationship established between our AD domain and our IPA 
domain, and AD users can be found on the IPA server with id and getent passwd. 
When a user tries to SSH to the IPA server with AD credentials, the logs show:


(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] 
(0x0400): Processing user guertin-s
(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] 
(0x1000): Mapping user [guertin-s] objectSID 
[S-1-5-21-1983215674-46037090-646806464-245906] to unix ID
(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] 
(0x0080): Could not convert objectSID 
[S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID

It seems that this is a problem with the ID range, but I can't see where the 
problem is. We increased the default ranges of 200,000 to 2,000,000, which I 
would think should be able to handle a RID of 245906:


# ipa idrange-find --all
----------------
2 ranges matched
----------------
  dn: 
cn=CSNS.MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu
  Range name: CSNS.MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 1824600000
  Number of IDs in the range: 2000000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
  iparangetyperaw: ipa-local
  objectclass: top, ipaIDrange, ipaDomainIDRange

  dn: cn=MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu
  Range name: MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 2000000
  Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464
  Range type: Active Directory trust range with POSIX attributes
  iparangetyperaw: ipa-ad-trust-posix
  objectclass: ipatrustedaddomainrange, ipaIDrange
----------------------------
Number of entries returned 2
----------------------------

But the error remains. What am I missing?

David Guertin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to