I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need to match whats in ipa idrange-find --all for the AD domain.
# ipa idrange-mod --base-id=100000 --range-size=900000 --rid-base=0 Range name: TEST.OSUWMC_id_range ---------------------------------------- Modified ID range "TEST.OSUWMC_id_range" ---------------------------------------- Range name: TEST.OSUWMC_id_range First Posix ID of the range: 100000 Number of IDs in the range: 900000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810 Range type: Active Directory domain range /etc/sssd/sssd.conf: [domain/test.osuwmc] ldap_idmap_range_min = 100000 ldap_idmap_range_size = 900000 From: <Gould>, Joshua Gould <[email protected]> Date: Tuesday, March 17, 2015 at 6:08 PM To: "[email protected]" <[email protected]> Subject: [Freeipa-users] sssd options ignored? I¹ve been getting messages like these when I try the id command for a test AD domain user: (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_primary_name] (0x0400): Processing object [email protected] (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user] (0x0400): Processing user [email protected] (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user] (0x1000): Mapping user [[email protected]] objectSID [S-1-5-21-226267946-722566613-1883572810-398410] to unix ID (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-226267946-722566613-1883572810-398410] to a UNIX ID (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user] (0x0020): Failed to save user [[email protected]] Various sources all inicate that its a range issue with ldap_idmap_range_size. I¹ve tried several large values of just ldap_idmap_range_size as well as adding ldap_idmap_range_min and ldap_idmap_range_range. All I can figure is that perhaps sssd is ignoring the values? Between changing values I did stop sssd, delete the cache and restart it. This is RHEL7 fully up to date. My SSSD shows 1.12.2-58. Here is my full sssd.conf. [domain/unix.test.osuwmc] debug_level = 9 subdomains_provider = ipa cache_credentials = True krb5_store_password_if_offline = True ipa_domain = unix.test.osuwmc id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mid-ipa-vp01.unix.test.osuwmc chpass_provider = ipa ipa_server = mid-ipa-vp01.unix.test.osuwmc ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #ldap_idmap_range_min = 2000 #ldap_idmap_range_size = 900000 #ldap_idmap_range_range = 3602000 ldap_idmap_range_size=1000000 ldap_id_mapping = True [sssd] services = nss, sudo, pam, ssh, pac config_file_version = 2 domains = unix.test.osuwmc [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
