On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote: > Hi, > > I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting > sssd work as the conversion from objectSID to Unix IDs fails. With a debug > level of 9 (this is the same config that worked in previous versions < > 1.11.7 against the same AD forest), I see the below in sssd domain logs: > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] > (0x0400): Processing object chantri > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): > Processing user chantri > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): > Mapping user [chantri] objectSID > [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] > (0x0080): Could not convert objectSID > [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): > Failed to save user [chantri] > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): > Failed to store user 0. Ignoring. > > I tried with both the AD and LDAP providers but get the same error. I'm > mostly using the defaults in the domains section of sssd.conf. Snippet > below: > > [domain/test] > id_provider = ad > access_provider = ad > ad_server = example.test.abcd.com > ad_domain = test.abcd.com > ldap_id_mapping = true > dyndns_update = false > krb5_keytab = /etc/sssd/abcd.keytab > ldap_schema = ad > ldap_idmap_default_domain = test.abcd.com > > Would appreciate if you could provide some guidance here. Do I have to > tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the > 200k to 3000k range.
That's most probably the cause of the issue, you should try to set ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe side). What surprises me is that it worked before. What version of SSSD did you use before? bye, Sumit > > Best Regards, > Prajwal Kumar > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
