As mentioned in a previous post, I work in an environment with a large AD tree with in excess of 30000 groups and multiple subdomains.

 

We authenticate against the primary domain and are using ldap_id_mapping after having migrated from using posix attributes (the admin overhead was becoming prohibitive)

 

Recently we were experimenting with using the ldap_idmap_default_domain_sid as a measure to ensure that the allocated uids and gids were protected against arbitrary change as new domains were encountered in the environment.

 

We had not specified it previously and it did not have any deleterious effect until we attempted to purge a group that was affecting an update of the database (see previous message on  Re: apparent error with ad_enum_cross_dom_members). sss_cache -E wouldn’t purge this group so I deleted the databases and config in /var/lib/sss/db and restarted sssd with the effect that sssd started using a different range – not good.

 

Unfortunately this only increased my paranoia.

 

At this point I’m not sure as to how to proceed to ensure that the current range is maintained as inclusion of ldap_idmap_default_domain_sid will start the use of a new range.

 

I also experimented with increasing the ldap_idmap_range_size from the default of 200000 to test whether the issue was due to encountering rids beyond the default range but this also triggered sssd to use a new range.

 

Basically I’m getting into territory beyond the scope of my experience and seek advice on either biting the bullet and accepting a change in the range and specifying the default sid and dealing with the change on client systems, or getting advice on how to configure sssd to lock on the range its currently using without changing it.

 

Relevant config in sssd.conf :

id_provider = ad

auth_provider = ad

access_provider = ad

subdomains_provider = none

enumerate = true

ignore_group_members = true

cache_credentials = true

ldap_id_mapping = true

ldap_schema = ad

# ldap_idmap_default_domain_sid = S-1-5-21-3009471437-2678356326-1117381816

ldap_idmap_default_domain = our domain.com

# ldap_idmap_range_size = 500000

 

Thanks in advance

 

Craig Silva

_________

Craig Silva | Specialist Engineer – Unix Services – Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000

ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.au

This office is located on the land of the Traditional Owners of the Kulin Nation.

 

cenitex logo          cid:image004.jpg@01D36DDE.27450B80  cid:image006.jpg@01D36DDE.27450B80  cid:image010.jpg@01D36DDE.27450B80

Accountability, Collaboration, Respect, Initiative and Courage

 

 

Notice:

This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.

It is the responsibility of the recipient to check for and remove viruses.

If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.

Please consider the environment before printing this email.