On (12/01/16 14:00), hsc(a)miracle.dk wrote:
Hi
I have two users in the AD. Only one of them can login with ssh or su on the Linux
server.
The user admjoin is the one made the "realm join" and he can login:
/var/log/sssd/sssd_corp.acme.com.log:
Mapping user [AdmJoin] objectSID [S-1-5-21-2031436270-1094658265-1854952973-140256] to
unix ID
Adding original memberOf attributes to [AdmJoin].
And avgjoe can not login:
Mapping user [AvgJoe] objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to unix
ID
Could not convert objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to a UNIX
ID
because RID (relative ID) of user SID is too big.
The default value of range size (ldap_idmap_range_size)
is 200000. So this user does not fit there.
You can increase ldap_idmap_range_size to bigger value,
but you will need to remove sssd cache after changing
idmap settings. This will results in different UID/GID of users.
@see also
man sssd-ldap -> ldap_idmap_range_size
man sssd-ldap -> ID MAPPING -> 3rd paragraph
LS
>Why can user avgjoe not log in?
>(and why are the ObjectSID the same (if relevant)?)
>
>Note that when doing a "su - avgjoe" the AD converts it to AvgJoe in
log-file, as defined on the AD-server.
>
>I guess there is around 20000 users defined in the AD. User AdmJoin was created when
the system was setup, and user AvgJoe is added recently (he might have a very high numeric
id).
>
>[sssd]
>domains =
corp.acme.com
>config_file_version = 2
>services = nss, pam, ssh, sudo
>debug_level = 7
>
>[domain/corp.acme.com]
>ad_domain =
corp.acme.com
>krb5_realm =
CORP.ACME.COM
>realmd_tags = manages-system joined-with-samba
>#cache_credentials = True
>cache_credentials = False
>id_provider = ad
>krb5_store_password_if_offline = True
>default_shell = /bin/bash
>ldap_id_mapping = True
>use_fully_qualified_names = False
>fallback_homedir = /home/%d/%u
>access_provider = ad
>debug_level = 7
>ldap_idmap_range_min = 200000
>ldap_idmap_range_max = 2000200000
>ldap_idmap_range_size = 200000
>
>Any help is much appreciated.
>
>best regards
>Hans
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org