[Freeipa-users] Can't add AD user group to IPA group
Guertin, David S.
guertin at middlebury.edu
Wed Mar 11 17:41:04 UTC 2015
> For troubleshooting this you need to enable debug_level=10 in sssd.conf in
> domain and pam sections. Restart sssd and try to login.
OK, this has pinpointed the problem. The log file now shows:
(Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID
(Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID
It seems that this is due to incorrect ID range settings. So I have increased the ID range to 2,000,000, which ought to be enough for a RID of 245906:
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: CSNS.MIDDLEBURY.EDU_id_range
First Posix ID of the range: 528800000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 1
First RID of the secondary RID range: 2000001
Range type: local domain range
Range name: MIDDLEBURY.EDU_id_range
First Posix ID of the range: 1000
Number of IDs in the range: 2000000
Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464
Range type: Active Directory trust range with POSIX attributes
----------------------------
Number of entries returned 2
----------------------------
But the problem still persists. I cannot SSH in as a user (getent passwd, id, etc. all still do show the users).
David Guertin
More information about the Freeipa-users
mailing list