On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote:
Hi,
I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting
sssd work as the conversion from objectSID to Unix IDs fails. With a debug
level of 9 (this is the same config that worked in previous versions <
1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name]
(0x0400): Processing object chantri
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400):
Processing user chantri
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000):
Mapping user [chantri] objectSID
[S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix]
(0x0080): Could not convert objectSID
[S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020):
Failed to save user [chantri]
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040):
Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm
mostly using the defaults in the domains section of sssd.conf. Snippet
below:
[domain/test]
id_provider = ad
access_provider = ad
ad_server =
example.test.abcd.com
ad_domain =
test.abcd.com
ldap_id_mapping = true
dyndns_update = false
krb5_keytab = /etc/sssd/abcd.keytab
ldap_schema = ad
ldap_idmap_default_domain =
test.abcd.com
Would appreciate if you could provide some guidance here. Do I have to
tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the
200k to 3000k range.
That's most probably the cause of the issue, you should try to set
ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe
side).
What surprises me is that it worked before. What version of SSSD did you
use before?
bye,
Sumit
Best Regards,
Prajwal Kumar
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users