[Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

Gould, Joshua Joshua.Gould at osumc.edu
Wed Mar 18 00:30:23 UTC 2015 

David,

I had a very similar issue which I posted to the list today. Your notes
indirectly helped me. I think we both had two ends to the same puzzle.

It looks like the range for your AD domain defined in ³ipa idrange-find
‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf.

For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have

ldap_idmap_range_min = 1824600000
ldap_idmap_range_size = 2000000

Setting these two identically let me resolve AD ID¹s with the id command.
Hopefully this works for you too.



From:  <Guertin>, "David S." <guertin at middlebury.edu>
Date:  Tuesday, March 17, 2015 at 11:18 AM
To:  "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject:  [Freeipa-users] AD integration: Could not convert objectSID to
a	UNIX ID


We have a trust relationship established between our AD domain and our IPA
domain, and AD users can be found on the IPA server with id and getent
passwd. When a user tries to SSH to the IPA server with AD credentials,
the logs
 show:

(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user]
(0x0400): Processing user guertin-s
(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user]
(0x1000): Mapping user [guertin-s] objectSID
[S-1-5-21-1983215674-46037090-646806464-245906] to unix ID
(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]]
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
[S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID


It seems that this is a problem with the ID range, but I can't see where
the problem is. We increased the default ranges of 200,000 to 2,000,000,
which I would think should be able to handle a RID of 245906:

# ipa idrange-find --all
----------------
2 ranges matched
----------------
  dn: 
cn=CSNS.MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=e
du
  Range name: CSNS.MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 1824600000
  Number of IDs in the range: 2000000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
  iparangetyperaw: ipa-local
  objectclass: top, ipaIDrange, ipaDomainIDRange

  dn: 
cn=MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu
  Range name: MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 2000000
  Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464
  Range type: Active Directory trust range with POSIX attributes
  iparangetyperaw: ipa-ad-trust-posix
  objectclass: ipatrustedaddomainrange, ipaIDrange
----------------------------
Number of entries returned 2
----------------------------

But the error remains. What am I missing?



David Guertin

More information about the Freeipa-users mailing list