[Freeipa-users] resolving subdomain AD in a trust relationship
Nicolas Zin
nicolas.zin at savoirfairelinux.com
Mon Feb 16 10:37:36 UTC 2015
OK
seems promising but it stills fail.
I used
ipa idrange-mod COMPANY.COM_id_range --range-size=10000000
ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=10000000
restarted sssd (and IPA in case of) but still get the same error.
Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-(
thank you
----- Mail original -----
De: "Alexander Bokovoy" <abokovoy at redhat.com>
À: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
Cc: freeipa-users at redhat.com, "Francois Cami" <fcami at redhat.com>
Envoyé: Lundi 16 Février 2015 13:50:38
Objet: Re: [Freeipa-users] resolving subdomain AD in a trust relationship
On Mon, 16 Feb 2015, Nicolas Zin wrote:
>Hi,
>
>we created a trust relationship with an AD, and we get this result:
># ipa trust-domainfind "company.com"
> Domain name: corp.company.com
> Domain NetBIOS name: COMPANY
> Domain Security Identifier: S-1-5-21-blabla-blabla-blabla
> Domain enabled: True
>
> Domain name: company.com
> Domain NetBIOS name: ROOT
> Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2
> Domain enabled: True
>
>We manage to see the user from the root domain:
>id auser at company.com
>
>But cannot see a user from the child:
>id anotheruser at corp.company.com
>
>
>In the logs we see:
>Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID
RID (496378) is larger than the size of the idrange given for this
domain (200000 ids by default).
You need to extend idrange for corp.company.com.
In Windows world RIDs grow monotonically -- if you delete user, its RID
is not reused. When there is large churn of users created/removed, RIDs
may go up quickly. For most mid-range companies defaults like IPA has
(200000 ids) are fine but if your situation is different, increase the
range.
Note that idranges for trusted AD domains are not used by DNA plugin as
nothing is allocating in this space on the LDAP server side, rather SSSD
does allocation on its own, it just needs the idrange reserved.
For example, 'ipa idrange-mod <range-name> --size=1000000' to set the
idrange size to one million. Range name for the trusted domain can be
seen with 'ipa idrange-find'.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list