On Tue, Jul 30, 2019 at 01:11:44PM -0700, Gordon Messmer wrote: > I have what I think is an odd situation. One of the users I support is > complaining that he is unable to log in to his domain-member Linux system. > After enabling debug logging, I've found the error "Could not convert > objectSID ... to a UNIX ID" in the logs. The RID is greater than 200000, so > I believe I need to adjust the allowed range and delete the sssd cache, and > then fix all of the files on the filesystem which are owned by domain users.
Hi, the version of SSSD you are using should automatically pick a new range if the RID is too large. Can you send your sssd.conf for a start to better understand your setup and see what might preventing SSSD from picking a new range? bye, Sumit > > The first odd part is that the user is actually able to log in to this > system for a while, and is able to log in to other hosts that are also > running sssd-1.16.2-13.el7_6.8.x86_64 on CentOS 7.6. If I can figure out > why that is, I hope that leads us to a solution that isn't as intrusive as > the one described above. Does anyone have a guess why this might only > affect one host right now, and only after a few days of use? > > I'm not sure why our RIDs would be unusually large, unless it is because we > have users that create short-lived VMs, join them to the domain, and then > destroy them very frequently. What is the recommended practice for domains > with large and rapidly incrementing RIDs? > > What are the implications of increasing the ID map range? At one point in > troubleshooting, we saw this in the log. Does increasing the range come at > a memory cost? > (Fri Jul 26 14:31:52 2019) [sssd[be[business.com]]] > [dp_module_run_constructor] (0x0010): Module [ad] constructor failed [12]: > Cannot allocate memory > > > > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=newish_user)(objectclass=user)(objectSID=*))][DC=business,DC=com]. > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user] > (0x0400): Save user > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_get_primary_name] > (0x0400): Processing object newish_user > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user] > (0x0400): Processing user [email protected] > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_idmap_sid_to_unix] > (0x0080): Could not convert objectSID [S-1-5-21-xxxx-xxxx-xxxx-257746] to a > UNIX ID > (Tue Jul 30 06:12:32 2019) [sssd[be[business.com]]] [sdap_save_user] > (0x0020): Failed to save user [[email protected]] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
