[Freeipa-users] sssd options ignored?
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 18 06:26:03 UTC 2015
On Tue, 17 Mar 2015, Gould, Joshua wrote:
>I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
>to match whats in ipa idrange-find --all for the AD domain.
>
># ipa idrange-mod --base-id=100000 --range-size=900000 --rid-base=0
>Range name: TEST.OSUWMC_id_range
>----------------------------------------
>Modified ID range "TEST.OSUWMC_id_range"
>----------------------------------------
>Range name: TEST.OSUWMC_id_range
>First Posix ID of the range: 100000
>Number of IDs in the range: 900000
>First RID of the corresponding RID range: 0
>Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
>Range type: Active Directory domain range
>
>
>/etc/sssd/sssd.conf:
>[domain/test.osuwmc]
>ldap_idmap_range_min = 100000
>ldap_idmap_range_size = 900000
There is something completely broken here. You *shouldn't* need to add a
separate domain section for any of the domains coming over the forest
trust link path _at_all_. SSSD automatically derives all needed
parameters for them via its IPA providers for the primary IPA domain.
Jakub, what is going on?
>
>
>
>
>
>From: <Gould>, Joshua Gould <joshua.gould at osumc.edu>
>Date: Tuesday, March 17, 2015 at 6:08 PM
>To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>Subject: [Freeipa-users] sssd options ignored?
>
>
>I¹ve been getting messages like these when I try the id command for a test
>AD domain user:
>
>(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]]
>[sdap_get_primary_name] (0x0400): Processing object farus at test.osuwmc
>(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
>(0x0400): Processing user farus at test.osuwmc
>(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
>(0x1000): Mapping user [farus at test.osuwmc] objectSID
>[S-1-5-21-226267946-722566613-1883572810-398410] to unix ID
>(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]]
>[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID
>[S-1-5-21-226267946-722566613-1883572810-398410] to a UNIX ID
>(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
>(0x0020): Failed to save user [adm-faru03 at test.osuwmc]
>
>
>Various sources all inicate that its a range issue with
>ldap_idmap_range_size. I¹ve tried several large values of just
>ldap_idmap_range_size as well as adding ldap_idmap_range_min and
>ldap_idmap_range_range. All I can figure is that perhaps sssd is ignoring
> the values? Between changing values I did stop sssd, delete the cache and
>restart it. This is RHEL7 fully up to date. My SSSD shows 1.12.2-58.
>
>Here is my full sssd.conf.
>
>[domain/unix.test.osuwmc]
>debug_level = 9
>subdomains_provider = ipa
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = unix.test.osuwmc
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = mid-ipa-vp01.unix.test.osuwmc
>chpass_provider = ipa
>ipa_server = mid-ipa-vp01.unix.test.osuwmc
>ipa_server_mode = True
>ldap_tls_cacert = /etc/ipa/ca.crt
>#ldap_idmap_range_min = 2000
>#ldap_idmap_range_size = 900000
>#ldap_idmap_range_range = 3602000
>ldap_idmap_range_size=1000000
>ldap_id_mapping = True
>
>[sssd]
>services = nss, sudo, pam, ssh, pac
>config_file_version = 2
>
>
>domains = unix.test.osuwmc
>[nss]
>homedir_substring = /home
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list