Hi Sumit,

When I set ldap_idmap_range_size = 4000000, SSSD fails to start:

(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0100): Initializing [6] domains for ID-mapping
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1606980848-1965331169-1417001333] as slice [2392]
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x0020): BUG: Range maximum exceeds the global maximum: 2884232704 > 2000200000
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0020): Could not add domain [dbg][S-1-5-21-1606980848-1965331169-1417001333][2392] to ID map: [Invalid argument]
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [load_backend_module] (0x0010): Error (22) in module (ad) initialization (sssm_ad_id_init)!


I have used v1.9.6 and v1.11.6 with the same configuration and both worked. The reason I upgraded to v1.11.7 was due to a bug. Details here: https://fedorahosted.org/sssd/ticket/2448 

Appreciate your help!



Best Regards,
Prajwal Kumar
+91-9886213418

On Wed, Oct 15, 2014 at 1:10 PM, Sumit Bose <sbose@redhat.com> wrote:
On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote:
> Hi,
>
> I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting
> sssd work as the conversion from objectSID to Unix IDs fails. With a debug
> level of 9 (this is the same config that worked in previous versions <
> 1.11.7 against the same AD forest),  I see the below in sssd domain logs:
>
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name]
> (0x0400): Processing object chantri
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400):
> Processing user chantri
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000):
> Mapping user [chantri] objectSID
> [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix]
> (0x0080): Could not convert objectSID
> [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020):
> Failed to save user [chantri]
>  (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040):
> Failed to store user 0. Ignoring.
>
>  I tried with both the AD and LDAP providers but get the same error. I'm
> mostly using the defaults in the domains section of sssd.conf. Snippet
> below:
>
>  [domain/test]
>  id_provider = ad
>  access_provider = ad
>  ad_server = example.test.abcd.com
>  ad_domain = test.abcd.com
>  ldap_id_mapping = true
>  dyndns_update = false
>  krb5_keytab = /etc/sssd/abcd.keytab
>  ldap_schema = ad
>  ldap_idmap_default_domain = test.abcd.com
>
> Would appreciate if you could provide some guidance here. Do I have to
> tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the
> 200k to 3000k range.

That's most probably the cause of the issue, you should try to set
ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe
side).

What surprises me is that it worked before. What version of SSSD did you
use before?

bye,
Sumit

>
> Best Regards,
> Prajwal Kumar

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users