[Freeipa-users] guidance on SID-UID mapping via sssd-ad -- one child domain works fine, 2nd domain generating SID-to-UID mapping error

Chris Dagdigian dag at sonsorol.org
Wed Feb 1 17:29:37 UTC 2017 

Hi folks,

I've posted here and gotten amazing help on our odd setup with IPA 
having a 1-way trust to a massive remote AD forest with 90+ domain 
controllers and lots of child domains.

I'm running into a strange issue where I can resolve and manage users in 
child domain (NAFTA.COMPANY.ORG) but I am getting failures and just 
discovered an interesting error that relates to resolving a user in the 
EAME.COMPANY.ORG forrest.

However I've also been dragged down the rabbit hole tracking down errors 
that turned out to be meaningless so I figured my 1st question will be 
"is this the error should I be focusing on?"

This is my situation:

1. "id user at NAFTA.COMPANY.ORG" works perfectly fine - no issues at all 
with RBAC, sudo and hosting SSH keys etc.

2. "id user at EAME.COMPANY.ORG" fails with "no such user"

3. We did not configure any specific SID-UID mapping rules in sssd.conf 
as we had assumed we'd use the "default" behavior


After digging through the logs I found this which seems VERY clear about 
the root cause:

(Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] 
[dp_get_account_info_handler] (0x0200): Got request for 
[0x1][BE_REQ_USER][1][name=u474418 at eame.company.org]
(Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] 
[sdap_idmap_sid_to_unix] (0x0040): Object SID 
[S-1-5-21-299502267-823518204-725345543-201173] has a RID that is larger 
than the ldap_idmap_range_size. See the "ID MAPPING” section of 
sssd-ad(5) for an explanation of how to resolve this issue.
(Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] 
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID 
[S-1-5-21-299502267-823518204-725345543-201173] to a UNIX ID
(Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] [sdap_save_user] 
(0x0020): Failed to save user [u474418 at eame.company.org]
(Wed Feb 1 17:02:18 2017) [sssd[be[companyidm.org]]] [sdap_save_users] 
(0x0040): Failed to store user 0. Ignoring.


The error about "Object SID has a RID that is larger than 
ldap_idmap_range_size .." seems pretty clear. I don't think this is a 
'rabbit hole' message - this seems like a real config problem on my end.

The problem is that I'm not quite sure what I should configure to 
resolve this. The man page for sssd-ad covers the topic but does not 
cover recommended configuration options.


Questions for this list:

1) Confirm that the "SID has an RID that is larger ..." error is real 
and worth chasing down ?

2) My understanding was that by default SSSD will hash SIDs and come up 
with unique UID and GID ranges that will be consistent across any 
machine bound to the same IDM mechanism. So I've not configured anything 
specific related to SID-to-UID mapping as we wanted to go with the 
default behavior used by SSSD. Obviously the default is not working and 
I've got to make a change. I just don't know what the recommended change 
should be. Help appreciated!



Config file details are below.


Regards,
Chris





This is the sssd/sssd.conf file on the IPA server:

###----------------------

[domain/companyidm.org]
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
debug_level = 5
krb5_validate = True
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = companyidm.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = usaeilidmp001.companyidm.org
chpass_provider = ipa
ipa_server = usaeilidmp001.companyidm.org
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = companyidm.org
[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
debug_level = 5
[sudo]

[autofs]

[ssh]
debug_level = 5

[pac]

[ifp]

###----------------------


This is krb5.conf which handles the child domain and trust things ...

[capaths]
COMPANYAWS.ORG = {
COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
COMPANYAWS.ORG = COMPANYAWS.ORG
SYNGENTA.ORG = COMPANY.ORG
EAME.COMPANY.ORG = SYNGENTA.ORG
APAC.COMPANY.ORG = SYNGENTA.ORG
LATAM.COMPANY.ORG = SYNGENTA.ORG
NAFTA.COMPANY.ORG = SYNGENTA.ORG
}
COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = COMPANYIDM.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
COMPANYIDM.ORG = {
kdc = usaeilidmp001.companyidm.org:88
master_kdc = usaeilidmp001.companyidm.org:88
admin_server = usaeilidmp001.companyidm.org:749
default_domain = syngentaidm.org
pkinit_anchors = FILE:/etccompanyidmipa/ca.crt
}

[dbmodules]
COMPANYIDM.ORG = {
db_library = ipadb.so
}

More information about the Freeipa-users mailing list