On 4 April 2017 at 01:35, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On ma, 03 huhti 2017, Orion Poplawski wrote: > >> On 04/03/2017 09:03 AM, Orion Poplawski wrote: >> >>> On 04/03/2017 02:08 AM, Jakub Hrozek wrote: >>> >>>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >>>> >>> >>> I'm seeing: >> >> [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file >> ipa_sidgen_task.c, line 194]: Sidgen task starts ... >> [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file >> ipa_sidgen_common.c, line 522]: Cannot convert Posix ID  into an >> unused >> SID. >> [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file >> ipa_sidgen_task.c, line >> 154]: Cannot add SID to existing entry. >> [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file >> ipa_sidgen_task.c, line 199]: Sidgen task finished . >> > Look at this list's archives, I've been giving recipes how to fix this > in February. > > My IPA ranges are: >> >> # ipa idrange-find >> ---------------- >> 2 ranges matched >> ---------------- >> Range name: AD.NWRA.COM_id_range >> First Posix ID of the range: 20000 >> Number of IDs in the range: 20000 >> First RID of the corresponding RID range: 0 >> Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2 >> 103694531 >> Range type: Active Directory domain range >> >> Range name: NWRA.COM_id_range >> First Posix ID of the range: 8000 >> Number of IDs in the range: 2000 >> First RID of the corresponding RID range: 1000 >> First RID of the secondary RID range: 100000000 >> Range type: local domain range >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> So I've been creating these local posix IPA groups for HBAC access (as >> well as >> file storage) with the same gid as that assigned to the AD user. Perhaps >> that >> is a problem? >> > Yes, that is a problem. But HBAC group is not a problem because HBAC > group is not a POSIX IPA group at all, it is even stored in a different > subtree than user groups. > > Can you expand on this please? In what way is this a problem? We also have local posix IPA groups with the same gid as that assigned to the AD user (for historical reasons to do with samba shares on networked disks). We don't use those groups for HBAC though, we use AD group membership through external groups for HBAC. (I use the term "we use HBAC" loosely - it's still in testing :) ) cheers L.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project