That's most probably the cause of the issue, you should try to setOn Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote:
> Hi,
>
> I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting
> sssd work as the conversion from objectSID to Unix IDs fails. With a debug
> level of 9 (this is the same config that worked in previous versions <
> 1.11.7 against the same AD forest), I see the below in sssd domain logs:
>
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name]
> (0x0400): Processing object chantri
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400):
> Processing user chantri
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000):
> Mapping user [chantri] objectSID
> [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix]
> (0x0080): Could not convert objectSID
> [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020):
> Failed to save user [chantri]
> (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040):
> Failed to store user 0. Ignoring.
>
> I tried with both the AD and LDAP providers but get the same error. I'm
> mostly using the defaults in the domains section of sssd.conf. Snippet
> below:
>
> [domain/test]
> id_provider = ad
> access_provider = ad
> ad_server = example.test.abcd.com
> ad_domain = test.abcd.com
> ldap_id_mapping = true
> dyndns_update = false
> krb5_keytab = /etc/sssd/abcd.keytab
> ldap_schema = ad
> ldap_idmap_default_domain = test.abcd.com
>
> Would appreciate if you could provide some guidance here. Do I have to
> tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the
> 200k to 3000k range.
ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe
side).
What surprises me is that it worked before. What version of SSSD did you
use before?
bye,
Sumit
>
> Best Regards,
> Prajwal Kumar
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users