[Freeipa-users] sssd options ignored?

[Gould, Joshua]

I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for the AD domain.

# ipa idrange-mod --base-id=100000 --range-size=900000 --rid-base=0
Range name: TEST.OSUWMC_id_range
----------------------------------------
Modified ID range "TEST.OSUWMC_id_range"
----------------------------------------
Range name: TEST.OSUWMC_id_range
First Posix ID of the range: 100000
Number of IDs in the range: 900000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
Range type: Active Directory domain range


/etc/sssd/sssd.conf:
[domain/test.osuwmc]
ldap_idmap_range_min = 100000
ldap_idmap_range_size = 900000





From:  <Gould>, Joshua Gould <joshua.gould at osumc.edu>
Date:  Tuesday, March 17, 2015 at 6:08 PM
To:  "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject:  [Freeipa-users] sssd options ignored?


I¹ve been getting messages like these when I try the id command for a test
AD domain user:

(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_primary_name] (0x0400): Processing object farus at test.osuwmc
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
(0x0400): Processing user farus at test.osuwmc
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
(0x1000): Mapping user [farus at test.osuwmc] objectSID
[S-1-5-21-226267946-722566613-1883572810-398410] to unix ID
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
[S-1-5-21-226267946-722566613-1883572810-398410] to a UNIX ID
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
(0x0020): Failed to save user [adm-faru03 at test.osuwmc]


Various sources all inicate that its a range issue with
ldap_idmap_range_size. I¹ve tried several large values of just
ldap_idmap_range_size as well as adding ldap_idmap_range_min and
ldap_idmap_range_range. All I can figure is that perhaps sssd is ignoring
 the values? Between changing values I did stop sssd, delete the cache and
restart it. This is RHEL7 fully up to date. My SSSD shows 1.12.2-58.

Here is my full sssd.conf.

[domain/unix.test.osuwmc]
debug_level = 9
subdomains_provider = ipa
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = unix.test.osuwmc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mid-ipa-vp01.unix.test.osuwmc
chpass_provider = ipa
ipa_server = mid-ipa-vp01.unix.test.osuwmc
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#ldap_idmap_range_min = 2000
#ldap_idmap_range_size = 900000
#ldap_idmap_range_range = 3602000
ldap_idmap_range_size=1000000
ldap_id_mapping = True

[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2


domains = unix.test.osuwmc
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]