On (22/09/16 12:22), Richard Collins wrote: >Hi, > >Running Red Hat Enterprise Linux Server release 6.5 (Santiago) - >2.6.32-431.el6.x86_64 > >When running version sssd-1.9.2-129.el6.x86_64 users with objectSID/RID >outside the default range (200,000) fail to convert and therefore cannot be >authenticated. For example: > > >sssd-1.9.2-129.el6.x86_64 domain mapping: >(Tue Sep 20 14:36:00 2016) [sssd[be[MYDOMAIN]]] [sdap_idmap_init] (0x0100): >Initializing [1] domains for ID-mapping >(Tue Sep 20 14:36:00 2016) [sssd[be[MYDOMAIN]]] [sdap_idmap_add_domain] >(0x0100): Adding domain [###################-3828131906] as slice [9122] >(Tue Sep 20 14:36:00 2016) [sssd[be[MYDOMAIN]]] [sysdb_idmap_dn] (0x4000): >objectSID=###################-3828131906,cn=id_mappings,cn=MYDOMAIN,cn=sysdb > > >sssd-1.9.2-129.el6.x86_64 failed attempt: >(Tue Sep 20 14:39:52 2016) [sssd[be[MYDOMAIN]]] [sdap_idmap_sid_to_unix] >(0x0080): Could not convert objectSID [###########################-200676] to >a UNIX ID >(Tue Sep 20 14:39:52 2016) [sssd[be[MYDOMAIN]]] [sdap_save_user] (0x0040): >Failed to save user [12345] > > >However, upgrading to version sssd-1.13.3-22.el6_8.4.x86_64 the problem >disappears (no other changes to config have been made) >Note: I manually deleted the sss cache in /var/lib/sss/db before restarting >with the new version: > >sssd-1.13.3-22.el6_8.4.x86_64 domain mapping: >(Wed Sep 21 09:18:30 2016) [sssd[be[MYDOMAIN]]] [sdap_idmap_init] (0x0100): >Initializing [1] domains for ID-mapping >(Wed Sep 21 09:18:30 2016) [sssd[be[MYDOMAIN]]] [sdap_idmap_add_domain] >(0x1000): Adding domain [S-1-5-21-1000884740-1136923486-3828131906] as slice >[9122] >(Wed Sep 21 09:18:30 2016) [sssd[be[MYDOMAIN]]] [sysdb_idmap_dn] (0x4000): >objectSID=###################-3828131906,cn=id_mappings,cn=MYDOMAIN,cn=sysdb > > >sssd-1.13.3-22.el6_8.4.x86_64 successful attempt: >(Wed Sep 21 09:38:59 2016) [sssd[be[MYDOMAIN]]] [sdap_save_user] (0x1000): >Mapping user [12345] objectSID [[###########################-200676] to unix ID >(Wed Sep 21 09:38:59 2016) [sssd[be[MYDOMAIN]]] [sdap_save_user] (0x2000): >Adding originalDN [CN=12345,OU=Users,OU=WAVE,OU=BusinessUnits,DC=MYDOMAIN] to >attributes of [12345]. >(Wed Sep 21 09:38:59 2016) [sssd[be[MYDOMAIN]]] [sdap_save_user] (0x0400): >Adding original memberOf attributes to [12354]. > > >According to the docs, the defaults for ldap_idmap_range_min, >ldap_idmap_range_max and ldap_idmap_range_size haven't changed between >versions. > >While the issue is resolved - i.e. users with RID in excess of 200,000 can >authenticate, I'm not clear why this now works and want to ensure I won't hit >another limit in the near future. I'd like to avoid changing the mapping >parameters as this alters the uid mapping and there will be a big task to >clean up permissions on the file system. > >Can anyone work out why this now works? > Because ticket https://fedorahosted.org/sssd/ticket/2188 was implmemented in upstream sssd-1.13.4 (but is also in el6.8)
Here is a link to desing page https://fedorahosted.org/sssd/wiki/DesignDocs/IdmapAutoAssignNewSlices If you would like to have older behaviour compatible with older version of sssd then then you need to change value of the option ldap_idmap_helper_table_size from default 10 -> 0 LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org