I'll check with my security team, and hopefully be able to send them to you tomorrow. I might do so from my work email account, but I'll mention my gmail address on there as well.
I assume you'll want a copy the configuration files, so I'll send those with the logs if I'm able. Unfortunately gmail didn't notify me of your response (or I missed it), while I was sending that one. Thanks again! Chris On Fri, Jan 10, 2014 at 3:01 AM, Sumit Bose <[email protected]> wrote: > On Fri, Jan 10, 2014 at 02:32:48AM -0800, Chris Gray wrote: > > I'll install the ldb-tools tomorrow (I went home) and try that out. > > > > The SID and the RID are correct, verified visually and used a windows > > utility to search the domain based on the SID to verify it was correct > and > > returning the correct account from AD (psgetsid.exe). I'm also working on > > converting the SID and RID to reverse hex so I can use ldapsearch on the > > linux machine to triple verify, but I haven't completed that yet. > > > > The computers with SSSD version 1.9 correctly show the RID as the last > > digits of the unix UID. My default domain group is Domain Users as well, > > which always has a RID of 0513, and that correctly shows as the last 4 > > digits unix GID on the computers with 1.9. > > > > Reading those bug reports more may had lead to a solution. > > > > ldap_idmap_default_domain_sid (string) > > Specify the domain SID of the default domain. This will > > guarantee that this domain will always be assigned to > slice > > zero in the ID map, bypassing the murmurhash algorithm > > described above. > > > > Default: not set > > > > ldap_idmap_default_domain (string) > > Specify the name of the default domain. > > > > Default: not set > > > > Please note that those options have a special purpose and should not be > needed in your setup. Nevertheless they might lead to a working > solution by hiding the original issue. With those two option a domain is > pre-created in the idmapping code. If the SID matches the domain SID of > your user the user will get a POSIX ID and you won't see the errors you > posted earlier. But in general the AD provider is able to auto-detect all > domain in your forest and create the needed idmapping entries > automatically. I assume that there is an issue to detect of domain and > its domain SID or to create the needed idmapping entries. This is why I > asekd for the full logs. > > bye, > Sumit > > > > > > > I'll try those out tomorrow as well. I'm not sure they'll work since I > > got them from version 1.9 docs. I don't have them set on the computers > > I have that use SSSD 1.9, and they don't exhibit the problem. > > > > > > Thanks again, > > > > Chris > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > -- Intelligence is a matter of opinion.
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
