find_sid_for_ldap_entry - [file ipa_sidgen_cofind_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [120000023l] into an unused SID

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7, 8, 9
  • IPA Server 3.x, 4.x

Issue

  • dirsrv generates following error when running ipa-sidgen-task:
[30/May/2013:10:24:17 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 191]: Sidgen task starts ...
[30/May/2013:10:24:17 +0100] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [120000023l] into an unused SID.
[30/May/2013:10:24:17 +0100] do_work - [file ipa_sidgen_task.c, line 151]: Cannot add SID to existing entry.
[30/May/2013:10:24:17 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 196]: Sidgen task finished [32].

Resolution

  • Options to fix the issue.

Option 1.

Change the UID/GID of user presently outside the IPA assignment range with available UID/GID within assignment range. The changes can be done by using the following line:

a) Graphical Mode:

  Identity Management (IPA) Console -> Identity -> Users -> <select username> -> ACCOUNT SETTINGS -> UID/GID

b) Command Line:

   ipa user-mod <username> --uid=<uid number> --gidnumber=<gid number>

Option 2.

If possible modify the existing ID range to include UID/GID which are presently outside the range.

a) Graphical Mode:

   Identity Management (IPA) Console -> IPA Server -> ID Ranges -> <Range Name> -> RANGE SETTINGS -> Range Size

b) Command Line:

   ipa idrange-mod <Range Name> --range-size=<range size>

Option 3.

Add a respective ID range to cover UID/GID which are presently outside the range.

a) Graphical Mode:

   Identity Management (IPA) Console -> IPA Server -> ID Ranges -> Add

b) Command Line:

  ipa idrange-add <Range Name> --base-id=<id value> --range-size=<range size> --rid-base=<value>  --secondary-rid-base=<value>

Root Cause

  • The issue will be observed if the users have been created/migrated to IPA with UID/GID of the user outside the IPA ID range.

Diagnostic Steps

The ipa-sidgen-task is executed when you add sids to the existing entries, and they should add the ipantsecurityidentifer to the entries based on the uid/gid value of the object using the respective ID range to generate the RID.

The logs should show what posix id exactly that wasn't able to be converted and you'll be able to see that it's indeed outside of the ID range.
E.g.,

/var/log/dirsrv/slapd-EXAMPLE-NET/errors
[03/Oct/2023:13:02:43.845852460 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Oct/2023:13:02:44.033707984 -0400] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [10011] into an unused SID.
[03/Oct/2023:13:02:44.034702871 -0400] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[03/Oct/2023:13:02:44.042168794 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

Looking at the objects, you can find the entry either with the gidnumber or the uidnumber. In this case a group:

  dn: cn=appgroup,cn=groups,cn=accounts,dc=example,dc=net
  cn: appgroup
  description: Application group
  gidnumber: 10011
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup
  objectClass: ipausergroup
  objectClass: ipaobject
  objectClass: posixgroup

And if you check the current ID ranges, you may see that there's no range covering this gidnumber:

[root@idm01 ~]#  ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: EXAMPLE.NET_id_range
  First Posix ID of the range: 1745000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: EXAMPLE.NET_subid_range
  First Posix ID of the range: 2147483648
  Number of IDs in the range: 2147352576
  First RID of the corresponding RID range: 2147283648
  Domain SID of the trusted domain: S-1-5-21-728565-838781-3296162503
  Range type: Active Directory domain range

And this should be fixed by following one of the options in the Resolution section after considering the best solution to the environment. In a large environment where years of use have produced thousands of users/groups and they are all scattered outside the ID range, it may be beneficial to add one or more additional ranges to allocate these, or even expanding the ones existing.

Note that it's important that all user and groups are accounted for. If the error is still observed in the logs, the one ID preventing the task from finishing will be displayed so that you are able to take appropriate action.

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments