On (23/01/15 10:21), Stephen Gallagher wrote:
On Fri, 2015-01-23 at 14:39 +0100, Lukas Slebodnik wrote:
> ehlo,
>
> I was reprodicing other bug and it took me some time to find out why I was not
> able to resolve user. RID was bigger than range size.
>
> I saw just general message about id mapping failer
> [sdap_save_user] (0x0400): Processing user matthewbe
> [sdap_save_user] (0x1000): Mapping user [matthewbe] objectSID
> [S-1-5-21-2997650941-1802118864-3094776726-200065] to unix ID
> [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
> [S-1-5-21-2997650941-1802118864-3094776726-200065] to a UNIX ID
> ^^^^^^
> Default range size is 200000
> [sdap_save_user] (0x0020): Failed to save user [matthewbe]
> [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
>
>
> Feel free to propose better debug message. I think it would simplify debugging.
I'd avoid making a recommendation about changing the range size. That
will result in any other domain having all of their IDs changed. That's
not a good situation. We should certainly log this at a very low level,
though.
As you can see from debug message it is almost impossible to say why converting
of objectSID failed. I have already seen such problem in customer reports.
and reasonable hint could speed up fixing of a problem.
user issue -> bug report -> requests for log files ->
analysis of log file -> advice to increase ldap_idmap_range_size
Maybe we can recommend just to double value of range size,
but current situation isn't user friendly.
LS