As mentioned in a previous post, I work in an environment with a large AD tree with in excess of 30000 groups and multiple subdomains.
We authenticate against the primary domain and are using ldap_id_mapping after having migrated from using posix attributes (the admin overhead was becoming prohibitive)
Recently we were experimenting with using the ldap_idmap_default_domain_sid as a measure to ensure that the allocated uids and gids were protected against arbitrary change as new domains were encountered in the environment.
We had not specified it previously and it did not have any deleterious effect until we attempted to purge a group that was affecting an update of the database (see previous message on Re: apparent error with ad_enum_cross_dom_members).
sss_cache -E wouldn’t purge this group so I deleted the databases and config in /var/lib/sss/db and restarted sssd with the effect that sssd started using a different range – not good.
Unfortunately this only increased my paranoia.
At this point I’m not sure as to how to proceed to ensure that the current range is maintained as inclusion of ldap_idmap_default_domain_sid will start the use of a new range.
I also experimented with increasing the ldap_idmap_range_size from the default of 200000 to test whether the issue was due to encountering rids beyond the default range but this also triggered sssd to use a new range.
Basically I’m getting into territory beyond the scope of my experience and seek advice on either biting the bullet and accepting a change in the range and specifying the default sid and dealing with the change on client systems, or getting
advice on how to configure sssd to lock on the range its currently using without changing it.
Relevant config in sssd.conf :
id_provider = ad
auth_provider = ad
access_provider = ad
subdomains_provider = none
enumerate = true
ignore_group_members = true
cache_credentials = true
ldap_id_mapping = true
ldap_schema = ad
# ldap_idmap_default_domain_sid = S-1-5-21-3009471437-2678356326-1117381816
ldap_idmap_default_domain = our domain.com
# ldap_idmap_range_size = 500000
Thanks in advance
Craig Silva
_________
Craig Silva
| Specialist Engineer – Unix Services – Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000
ph: 03-8688-1297 mob: 0429 365 609 |
www.cenitex.vic.gov.au
This office is located on the land of the Traditional Owners of the Kulin Nation.
Accountability, Collaboration, Respect, Initiative and Courage