On Пан, 04 жні 2025, TomK via FreeIPA-users wrote:
ipa idrange-find mds.xyz_id_range
----------------
2 ranges matched
----------------
Range name: MDS.XYZ_id_range
First Posix ID of the range: 155600000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 155600000
Domain SID of the trusted domain:
S-1-5-21-1803828911-4163023034-2461700517
Range type: Active Directory domain range
The SID S-1-5-21-1803828911-4163023034-2461700517-1104 corresponds
to a domain SID S-1-5-21-1803828911-4163023034-2461700517 and a
RID 1104.
Domain sid falls into the range MDS.XYZ_id_range which has rids
between 155600000 and 155600000+2000000 => 1004 is outside of the
rid range.
Did you manually create or modify this AD range?
flo
[...]
Ok so this worked.
ipa idrange-mod MDS.XYZ_id_range --rid-base=0
ipa: WARNING: Service sssd.service requires restart on IPA server
MDS.XYZ_id_range to apply configuration changes.
------------------------------------
Modified ID range "MDS.XYZ_id_range"
------------------------------------
Range name: MDS.XYZ_id_range
First Posix ID of the range: 155600000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1803828911-4163023034-2461700517
Range type: Active Directory domain range
# id [email protected]
id: [email protected]: no such user
# systemctl stop sssd; rm -f /var/lib/sss/db/*; systemctl start sssd
# id [email protected]
uid=155601104([email protected]) gid=155601104([email protected])
Using --rid-base=0 is not recommended. Please try at least above 1000 to
avoid mapping well-known SIDs (0..999) to wrong POSIX IDs.
#1 ---
Still the math troubles me:
"155600000 and 155600000+2000000 => 1004"
You have ID range that says 'RIDs can be between 155600000 and
155600000+2000000' and we map them to POSIX IDs starting with 155600000.
RID 1104 does not fit into it. Not sure who set 'first RID of the RID
range' in this ID range to be that high. Typically user/group/host RIDs
of the domain start from 1000 and go up.
The RID range mapping is used to map RIDs to POSIX IDs.
If you have RID 1104 and your 'first RID' is 0, then we get POSIX ID by
(RID - firstRID) + firstPOSIX_ID = (1004 - 0) + 155600000 = 155601104
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
