3:36 p.m.
I have an issue where i've established the AD trust and am able to lookup my own
account and about 30 others, but all others fail. I've compared AD attributes across
accounts and can't find anything that is notably different. I've seen messages
about making sure that groups can resolve, but I don't think that's what's
happening. I have a user account that only has one group membership and that group
resolves, but the account still is not returned on a lookup. The only common thread I can
find with the accounts that succeed is that they are older accounts - they were created a
long time ago - more recently created accounts fail. Where can I look to see what might
be happening?
3:56 p.m.
On Wed, Jul 11, 2018 at 08:36:43PM -0000, Mike Conner via FreeIPA-users wrote:
I have an issue where i've established the AD trust and am able
to lookup
my own account and about 30 others, but all others fail. I've compared
AD attributes across accounts and can't find anything that is notably
different. I've seen messages about making sure that groups can resolve,
but I don't think that's what's happening. I have a user account that only
has one group membership and that group resolves, but the account still
is not returned on a lookup. The only common thread I can find with the
accounts that succeed is that they are older accounts - they were created
a long time ago - more recently created accounts fail. Where can I look
to see what might be happening?
Are the users resolvable on the IPA server at least or do the lookups
fail on both the server an the client?
4:13 p.m.
On Wed, Jul 11, 2018 at 09:07:41PM -0000, Mike Conner via FreeIPA-users wrote:
No, the lookups fail on both the server and the client.
Can you post logs of a failing lookup on the server? You would add
debug_level to the [nss] and [domain] section in sssd.conf and run the
lookup..
4:42 p.m.
sssd_nss.log during attempted lookup of slymedia(a)grinnell.edu account:
https://pastebin.com/gLFnhZ9s
2:41 a.m.
On Wed, Jul 11, 2018 at 09:42:14PM -0000, Mike Conner via FreeIPA-users wrote:
sssd_nss.log during attempted lookup of slymedia(a)grinnell.edu
account:
https://pastebin.com/gLFnhZ9s
This is somewhat helpful, at least this snippet:
(Wed Jul 11 16:33:22 2018) [sssd[nss]] [cache_req_search_cache]
(0x0400): CR #230: Object [slymedia(a)grinnell.edu] was not found in cache
(Wed Jul 11 16:33:22 2018) [sssd[nss]]
[cache_req_search_ncache_add_to_domain] (0x0400): CR #230: Adding
[slymedia(a)grinnell.edu] to negative cache
(Wed Jul 11 16:33
Shows the user was not found. The next step are the domain logs.
8:42 a.m.
Aha!
This (from the domain log) shed some light:
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0400):
Processing user slymedia(a)grinnell.edu
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x1000): Mapping
user [slymedia(a)grinnell.edu] objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to
unix ID
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0040):
Object SID [S-1-5-21-71189414-1642862984-1097818727-518801] has a RID that is larger than
the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an
explanation of how to resolve this issue.
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0080):
Could not convert objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to a UNIX ID
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0020): Failed
to save user [slymedia(a)grinnell.edu]
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_users] (0x0040): Failed
to store user 0. Ignoring.
So it looks as though I have an incorrect ID Range for these AD accounts.
I increased the number of IDs in the range for the AD domain and - low and behold, the
accounts are now resolving.
Thank you for your help!
2108
days inactive
2109
days old
freeipa-users@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Jakub Hrozek -
Mike Conner