On Wed, Feb 01, 2017 at 12:29:37PM -0500, Chris Dagdigian wrote:
> Hi folks,
>
> I've posted here and gotten amazing help on our odd setup with IPA having a
> 1-way trust to a massive remote AD forest with 90+ domain controllers and
> lots of child domains.
>
> I'm running into a strange issue where I can resolve and manage users in
> child domain (NAFTA.COMPANY.ORG) but I am getting failures and just
> discovered an interesting error that relates to resolving a user in the
> EAME.COMPANY.ORG forrest.
>
> However I've also been dragged down the rabbit hole tracking down errors
> that turned out to be meaningless so I figured my 1st question will be "is
> this the error should I be focusing on?"
>
> This is my situation:
>
> 1. "id u...@nafta.company.org" works perfectly fine - no issues at all with
> RBAC, sudo and hosting SSH keys etc.
>
> 2. "id u...@eame.company.org" fails with "no such user"
>
> 3. We did not configure any specific SID-UID mapping rules in sssd.conf as
> we had assumed we'd use the "default" behavior
>
>
> After digging through the logs I found this which seems VERY clear about the
> root cause:
>
> (Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]]
> [dp_get_account_info_handler] (0x0200): Got request for
> [0x1][BE_REQ_USER][1][name=u474...@eame.company.org]
> (Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]]
> [sdap_idmap_sid_to_unix] (0x0040): Object SID
> [S-1-5-21-299502267-823518204-725345543-201173] has a RID that is larger
> than the ldap_idmap_range_size. See the "ID MAPPING” section of sssd-ad(5)
> for an explanation of how to resolve this issue.
> (Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]]
> [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
> [S-1-5-21-299502267-823518204-725345543-201173] to a UNIX ID
> (Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] [sdap_save_user]
> (0x0020): Failed to save user [u474...@eame.company.org]
> (Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] [sdap_save_users]
> (0x0040): Failed to store user 0. Ignoring.
>
>
> The error about "Object SID has a RID that is larger than
> ldap_idmap_range_size .." seems pretty clear. I don't think this is a
> 'rabbit hole' message - this seems like a real config problem on my end.
Yes, unfortunately this messages is a bit misleading on an IPA client
because here you do not have to fix the local configuration but you only
have to add an id-range on an IPA server. Please check the existing
id-ranges with
ipa idrange-find
There should be already one for EAME.COMPANY.ORG with the default size
of 200000 ("Number of IDs in the range: 200000"). Please add a second
idrange for EAME.COMPANY.ORG which covers the RIDs above 200000. If you
need help with choosing the parameters please send the idrange-find
output.
HTH
bye,
Sumit
>
> The problem is that I'm not quite sure what I should configure to resolve
> this. The man page for sssd-ad covers the topic but does not cover
> recommended configuration options.
>
>
> Questions for this list:
>
> 1) Confirm that the "SID has an RID that is larger ..." error is real and
> worth chasing down ?
>
> 2) My understanding was that by default SSSD will hash SIDs and come up with
> unique UID and GID ranges that will be consistent across any machine bound
> to the same IDM mechanism. So I've not configured anything specific related
> to SID-to-UID mapping as we wanted to go with the default behavior used by
> SSSD. Obviously the default is not working and I've got to make a change. I
> just don't know what the recommended change should be. Help appreciated!
>
>
>
> Config file details are below.
>
>
> Regards,
> Chris
>
>
>
>
>
> This is the sssd/sssd.conf file on the IPA server:
>
> ###----------------------
>
> [domain/companyidm.org]
> ldap_user_principal = nosuchattr
> subdomain_inherit = ldap_user_principal
> debug_level = 5
> krb5_validate = True
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = companyidm.org
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = usaeilidmp001.companyidm.org
> chpass_provider = ipa
> ipa_server = usaeilidmp001.companyidm.org
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = companyidm.org
> [nss]
> memcache_timeout = 600
> homedir_substring = /home
>
> [pam]
> debug_level = 5
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level = 5
>
> [pac]
>
> [ifp]
>
> ###----------------------
>
>
> This is krb5.conf which handles the child domain and trust things ...
>
> [capaths]
> COMPANYAWS.ORG = {
> COMPANYIDM.ORG = COMPANYAWS.ORG
> }
> COMPANYIDM.ORG = {
> COMPANYAWS.ORG = COMPANYAWS.ORG
> SYNGENTA.ORG = COMPANY.ORG
> EAME.COMPANY.ORG = SYNGENTA.ORG
> APAC.COMPANY.ORG = SYNGENTA.ORG
> LATAM.COMPANY.ORG = SYNGENTA.ORG
> NAFTA.COMPANY.ORG = SYNGENTA.ORG
> }
> COMPANY.ORG = {
> COMPANYIDM.ORG = COMPANY.ORG
> }
> EAME.COMPANY.ORG = {
> COMPANYIDM.ORG = COMPANY.ORG
> }
> APAC.COMPANY.ORG = {
> COMPANYIDM.ORG = COMPANY.ORG
> }
> LATAM.COMPANY.ORG = {
> COMPANYIDM.ORG = COMPANY.ORG
> }
> NAFTA.COMPANY.ORG = {
> COMPANYIDM.ORG = COMPANY.ORG
> }
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = COMPANYIDM.ORG
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> COMPANYIDM.ORG = {
> kdc = usaeilidmp001.companyidm.org:88
> master_kdc = usaeilidmp001.companyidm.org:88
> admin_server = usaeilidmp001.companyidm.org:749
> default_domain = syngentaidm.org
> pkinit_anchors = FILE:/etccompanyidmipa/ca.crt
> }
>
> [dbmodules]
> COMPANYIDM.ORG = {
> db_library = ipadb.so
> }
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
