[Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 17 15:43:00 UTC 2015 

On Tue, 17 Mar 2015, Guertin, David S. wrote:
>We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. When a user tries to SSH to the IPA server with AD credentials, the logs show:
>
>
>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x0400): Processing user guertin-s
>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID
>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID
>
>It seems that this is a problem with the ID range, but I can't see where the problem is. We increased the default ranges of 200,000 to 2,000,000, which I would think should be able to handle a RID of 245906:
>
>
># ipa idrange-find --all
>----------------
>2 ranges matched
>----------------
>  dn: cn=CSNS.MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu
>  Range name: CSNS.MIDDLEBURY.EDU_id_range
>  First Posix ID of the range: 1824600000
>  Number of IDs in the range: 2000000
>  First RID of the corresponding RID range: 1000
>  First RID of the secondary RID range: 100000000
>  Range type: local domain range
>  iparangetyperaw: ipa-local
>  objectclass: top, ipaIDrange, ipaDomainIDRange
>
>  dn: cn=MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu
>  Range name: MIDDLEBURY.EDU_id_range
>  First Posix ID of the range: 10000
>  Number of IDs in the range: 2000000
>  Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464
>  Range type: Active Directory trust range with POSIX attributes
>  iparangetyperaw: ipa-ad-trust-posix
>  objectclass: ipatrustedaddomainrange, ipaIDrange
>----------------------------
>Number of entries returned 2
>----------------------------
>
>But the error remains. What am I missing?
When you changed idrange, it helps to remove SSSD cache, both on IPA
master and IPA clients and restart SSSD.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list