OK seems promising but it stills fail. I used ipa idrange-mod COMPANY.COM_id_range --range-size=10000000 ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=10000000
restarted sssd (and IPA in case of) but still get the same error. Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-( thank you ----- Mail original ----- De: "Alexander Bokovoy" <[email protected]> À: "Nicolas Zin" <[email protected]> Cc: [email protected], "Francois Cami" <[email protected]> Envoyé: Lundi 16 Février 2015 13:50:38 Objet: Re: [Freeipa-users] resolving subdomain AD in a trust relationship On Mon, 16 Feb 2015, Nicolas Zin wrote: >Hi, > >we created a trust relationship with an AD, and we get this result: ># ipa trust-domainfind "company.com" > Domain name: corp.company.com > Domain NetBIOS name: COMPANY > Domain Security Identifier: S-1-5-21-blabla-blabla-blabla > Domain enabled: True > > Domain name: company.com > Domain NetBIOS name: ROOT > Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2 > Domain enabled: True > >We manage to see the user from the root domain: >id [email protected] > >But cannot see a user from the child: >id [email protected] > > >In the logs we see: >Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID RID (496378) is larger than the size of the idrange given for this domain (200000 ids by default). You need to extend idrange for corp.company.com. In Windows world RIDs grow monotonically -- if you delete user, its RID is not reused. When there is large churn of users created/removed, RIDs may go up quickly. For most mid-range companies defaults like IPA has (200000 ids) are fine but if your situation is different, increase the range. Note that idranges for trusted AD domains are not used by DNA plugin as nothing is allocating in this space on the LDAP server side, rather SSSD does allocation on its own, it just needs the idrange reserved. For example, 'ipa idrange-mod <range-name> --size=1000000' to set the idrange size to one million. Range name for the trusted domain can be seen with 'ipa idrange-find'. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
