I have what I think is an odd situation. One of the users I support is
complaining that he is unable to log in to his domain-member Linux
system. After enabling debug logging, I've found the error "Could not
convert objectSID ... to a UNIX ID" in the logs. The RID is greater
than 200000, so I believe I need to adjust the allowed range and delete
the sssd cache, and then fix all of the files on the filesystem which
are owned by domain users.
The first odd part is that the user is actually able to log in to this
system for a while, and is able to log in to other hosts that are also
running sssd-1.16.2-13.el7_6.8.x86_64 on CentOS 7.6. If I can figure
out why that is, I hope that leads us to a solution that isn't as
intrusive as the one described above. Does anyone have a guess why this
might only affect one host right now, and only after a few days of use?
I'm not sure why our RIDs would be unusually large, unless it is because
we have users that create short-lived VMs, join them to the domain, and
then destroy them very frequently. What is the recommended practice for
domains with large and rapidly incrementing RIDs?
What are the implications of increasing the ID map range? At one point
in troubleshooting, we saw this in the log. Does increasing the range
come at a memory cost?
(Fri Jul 26 14:31:52 2019) [sssd[be[business.com]]]
[dp_module_run_constructor] (0x0010): Module [ad] constructor failed
[12]: Cannot allocate memory
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=newish_user)(objectclass=user)(objectSID=*))][DC=business,DC=com].
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user]
(0x0400): Save user
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]]
[sdap_get_primary_name] (0x0400): Processing object newish_user
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user]
(0x0400): Processing user newish_u...@business.com
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]]
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
[S-1-5-21-xxxx-xxxx-xxxx-257746] to a UNIX ID
(Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user]
(0x0020): Failed to save user [newish_u...@business.com]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
