Hi,
I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting sssd work as the conversion from objectSID to Unix IDs fails. With a debug level of 9 (this is the same config that worked in previous versions < 1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] (0x0400): Processing object chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): Processing user chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): Mapping user [chantri] objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): Failed to save user [chantri] (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm mostly using the defaults in the domains section of sssd.conf. Snippet below:
[domain/test] id_provider = ad access_provider = ad ad_server = example.test.abcd.com ad_domain = test.abcd.com ldap_id_mapping = true dyndns_update = false krb5_keytab = /etc/sssd/abcd.keytab ldap_schema = ad ldap_idmap_default_domain = test.abcd.com
Would appreciate if you could provide some guidance here. Do I have to tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the 200k to 3000k range.
Best Regards, Prajwal Kumar
On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote:
Hi,
I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting sssd work as the conversion from objectSID to Unix IDs fails. With a debug level of 9 (this is the same config that worked in previous versions < 1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] (0x0400): Processing object chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): Processing user chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): Mapping user [chantri] objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): Failed to save user [chantri] (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm mostly using the defaults in the domains section of sssd.conf. Snippet below:
[domain/test] id_provider = ad access_provider = ad ad_server = example.test.abcd.com ad_domain = test.abcd.com ldap_id_mapping = true dyndns_update = false krb5_keytab = /etc/sssd/abcd.keytab ldap_schema = ad ldap_idmap_default_domain = test.abcd.com
Would appreciate if you could provide some guidance here. Do I have to tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the 200k to 3000k range.
That's most probably the cause of the issue, you should try to set ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe side).
What surprises me is that it worked before. What version of SSSD did you use before?
bye, Sumit
Best Regards, Prajwal Kumar
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Sumit,
When I set ldap_idmap_range_size = 4000000, SSSD fails to start:
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0100): Initializing [6] domains for ID-mapping (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1606980848-1965331169-1417001333] as slice [2392] (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x0020): BUG: Range maximum exceeds the global maximum: 2884232704 > 2000200000 (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0020): Could not add domain [dbg][S-1-5-21-1606980848-1965331169-1417001333][2392] to ID map: [Invalid argument] (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [load_backend_module] (0x0010): Error (22) in module (ad) initialization (sssm_ad_id_init)!
I have used v1.9.6 and v1.11.6 with the same configuration and both worked. The reason I upgraded to v1.11.7 was due to a bug. Details here: https://fedorahosted.org/sssd/ticket/2448
Appreciate your help!
Best Regards, Prajwal Kumar +91-9886213418
On Wed, Oct 15, 2014 at 1:10 PM, Sumit Bose sbose@redhat.com wrote:
On Wed, Oct 15, 2014 at 10:08:44AM +0530, Prajwal Kumar wrote:
Hi,
I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem
getting
sssd work as the conversion from objectSID to Unix IDs fails. With a
debug
level of 9 (this is the same config that worked in previous versions < 1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] (0x0400): Processing object chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): Processing user chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): Mapping user [chantri] objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): Failed to save user [chantri] (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm mostly using the defaults in the domains section of sssd.conf. Snippet below:
[domain/test] id_provider = ad access_provider = ad ad_server = example.test.abcd.com ad_domain = test.abcd.com ldap_id_mapping = true dyndns_update = false krb5_keytab = /etc/sssd/abcd.keytab ldap_schema = ad ldap_idmap_default_domain = test.abcd.com
Would appreciate if you could provide some guidance here. Do I have to tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the 200k to 3000k range.
That's most probably the cause of the issue, you should try to set ldap_idmap_range_size to 3000000 (or even 4000000 to be on the safe side).
What surprises me is that it worked before. What version of SSSD did you use before?
bye, Sumit
Best Regards, Prajwal Kumar
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (15/10/14 22:39), Prajwal Kumar wrote:
Hi Sumit,
When I set ldap_idmap_range_size = 4000000, SSSD fails to start:
(Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_init] (0x0100): Initializing [6] domains for ID-mapping (Wed Oct 15 12:29:52 2014) [sssd[be[dbg]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1606980848-1965331169-1417001333] as slice [2392]
^^^^ This number should not be higher than 500.
Explanation: the default value of ldap_idmap_range_min is 200.000 the default value of ldap_idmap_range_max is 2.000.200.000 difference is 2.000.000.000
You modified ldap_idmap_range_size to value 4.000.000 * this option specifies the number of IDs available for each slice
We have space for 2.000.000.000 IDs and each slice can contain 4.000.000 IDs. So ther is space for 500 slices. The log file shows that sssd tried to store SID into slice with numer 2392.
man sssd-ldap says (section ID MAPPING) Please note that changing the ID mapping related configuration options will cause user and group IDs to change. At the moment, SSSD does not support changing IDs, so the SSSD database must be removed.
Please try to remove sssd cache (rm -f /var/lib/sss/db/*) I hope problem will be fixed after starting sssd with clean cache.
LS
sssd-users@lists.fedorahosted.org