Hi Sumit, When I set ldap_idmap_range_size = 4000000, SSSD fails to start:
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0100): Initializing [6] domains for ID-mapping (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1606980848-1965331169-1417001333] as slice [2392] (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x0020): BUG: Range maximum exceeds the global maximum: 2884232704 > 2000200000 (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0020): Could not add domain [dbg][S-1-5-21-1606980848-1965331169-1417001333][2392] to ID map: [Invalid argument] (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [load_backend_module] (0x0010): Error (22) in module (ad) initialization (sssm_ad_id_init)! I have used v1.9.6 and v1.11.6 with the same configuration and both worked. The reason I upgraded to v1.11.7 was due to a bug. Details here: https://fedorahosted.org/sssd/ticket/2448 Appreciate your help! Best Regards, Prajwal Kumar +91-9886213418 On Wed, Oct 15, 2014 at 1:10 PM, Sumit Bose <[email protected]> wrote: > On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote: > > Hi, > > > > I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem > getting > > sssd work as the conversion from objectSID to Unix IDs fails. With a > debug > > level of 9 (this is the same config that worked in previous versions < > > 1.11.7 against the same AD forest), I see the below in sssd domain logs: > > > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] > > (0x0400): Processing object chantri > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): > > Processing user chantri > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): > > Mapping user [chantri] objectSID > > [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] > > (0x0080): Could not convert objectSID > > [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): > > Failed to save user [chantri] > > (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): > > Failed to store user 0. Ignoring. > > > > I tried with both the AD and LDAP providers but get the same error. I'm > > mostly using the defaults in the domains section of sssd.conf. Snippet > > below: > > > > [domain/test] > > id_provider = ad > > access_provider = ad > > ad_server = example.test.abcd.com > > ad_domain = test.abcd.com > > ldap_id_mapping = true > > dyndns_update = false > > krb5_keytab = /etc/sssd/abcd.keytab > > ldap_schema = ad > > ldap_idmap_default_domain = test.abcd.com > > > > Would appreciate if you could provide some guidance here. Do I have to > > tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the > > 200k to 3000k range. > > That's most probably the cause of the issue, you should try to set > ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe > side). > > What surprises me is that it worked before. What version of SSSD did you > use before? > > bye, > Sumit > > > > > Best Regards, > > Prajwal Kumar > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users >
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
