Why is sssd failing to assign uid and gid to some of the users from Active Directory in Red Hat Enterprise Linux?
Environment
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 7.x
- Red Hat Enterprise Linux 8.x
- Red Hat Enterprise Linux 9.x
- IPA - Active Directory Trust
- Direct AD Integration (id_provider=ad)
Issue
- Some users from Active Directory Server are able to get their uid and gid, other users are not. Thus they are not able to log in to the Red Hat Enterprise Linux system. After raising debug level in
/etc/sssd/sssd.conf, I'm observing following errors insssd's domain log file:
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1801674531-2052111302-2146921017-755555] to a UNIX ID
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_save_user] (0x0040): Failed to save user [username]
or
[sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-1801674531-2052111302-2146921017-755555] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue.
Resolution
- In case of direct AD integration while using id_provider = ad Increase the
ldap_idmap_range_sizeparameter to be larger than the objectSID having the issue. In this example since there is one domain, increasing the range by a factor of 10 is fine:
ldap_idmap_range_size = 2000000
- In case of IPA/AD trust use the
ipa idrange-modcommand to overwrite the range.
# ipa idrange-find
# ipa idrange-mod --base-id=2000000 --range-size=1000000000 AD.EXAMPLE.COM_id_range
- SSSD should be restarted and the cache should be deleted when changing the range.
# service sssd stop; rm -f /var/lib/sss/db/*; service sssd start
- Perform an id lookup on the user to verify the mapping works.
# id username
Root Cause
- After analyzing the code it appears that the problem is most likely a range issue as the rid of the objectsid was much larger than the default "ldap_idmap_range_size" of 200,000
S-1-5-21-1801674531-2052111302-2146921017-755555
Diagnostic Steps
- Enable the debug level logging in the domain section of `/etc/sssd/sssd.conf'. For enabling debug logging in sssd, refer General debugging of sssd
- Try to get user information using commands such as:
# date ; id -G <username>
# date ; getent passwd -s sss <username>
- Check the
sssddomain logs with reference to above timestamps:
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_save_user] (0x1000): Mapping user [username] objectSID to unix ID
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1801674531-2052111302-2146921017-755555] to a UNIX ID
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_save_user] (0x0040): Failed to save user [testuser]
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x26702b0], connected[1], ops[(nil)], ldap[0x266ff20]
(Mon Dec 30 15:26:27 2013) [sssd[be[server.example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
- Only use if using IPA/AD Trust - Get the output of the idrange-find --all and check if the range in the output and the sssd.conf file are matching.
[root@hostname ]# ipa idrange-find --all
----------------
2 ranges matched
----------------
dn: cn=AD.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=ipa,dc=example,dc=com
Range name: AD.EXAMPLE.COM_id_range
First Posix ID of the range: 2000000
Number of IDs in the range: 500000 --> Holds the key to the range specified in the sssd.conf file with SID larger than 200000.
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-3445201352-2429057597-3478110235
Range type: Active Directory domain range
iparangetyperaw: ipa-ad-trust
objectclass: ipatrustedaddomainrange, ipaIDrange
dn: cn=IPA.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=ipa,dc=example,dc=com
Range name: IPA.EXAMPLE.COM_id_range
First Posix ID of the range: 1335000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
iparangetyperaw: ipa-local
objectclass: top, ipaIDrange, ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments