[SSSD-users] Re: Could not convert objectSID [...] to a UNIX ID

On (12/01/16 14:00), hsc(a)miracle.dk wrote: because RID (relative ID) of user SID is too big. The default value of range size (ldap_idmap_range_size) is 200000. So this user does not fit there. You can increase ldap_idmap_range_size to bigger value, but you will need to remove sssd cache after changing idmap settings. This will results in different UID/GID of users. @see also man sssd-ldap -> ldap_idmap_range_size man sssd-ldap -> ID MAPPING -> 3rd paragraph LS >Why can user avgjoe not log in? >(and why are the ObjectSID the same (if relevant)?) > >Note that when doing a "su - avgjoe" the AD converts it to AvgJoe in log-file, as defined on the AD-server. > >I guess there is around 20000 users defined in the AD. User AdmJoin was created when the system was setup, and user AvgJoe is added recently (he might have a very high numeric id). > >[sssd] >domains = corp.acme.com >config_file_version = 2 >services = nss, pam, ssh, sudo >debug_level = 7 > >[domain/corp.acme.com] >ad_domain = corp.acme.com >krb5_realm = CORP.ACME.COM >realmd_tags = manages-system joined-with-samba >#cache_credentials = True >cache_credentials = False >id_provider = ad >krb5_store_password_if_offline = True >default_shell = /bin/bash >ldap_id_mapping = True >use_fully_qualified_names = False >fallback_homedir = /home/%d/%u >access_provider = ad >debug_level = 7 >ldap_idmap_range_min = 200000 >ldap_idmap_range_max = 2000200000 >ldap_idmap_range_size = 200000 > >Any help is much appreciated. > >best regards >Hans >_______________________________________________ >sssd-users mailing list >sssd-users(a)lists.fedorahosted.org >https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org