On Mon, Jun 24, 2019 at 11:44:40AM -0400, Marc Boorshtein wrote:
>
> Since it is a new user I wonder if maybe the RID is larger than 200000?
> For automatic id-mapping a range of 200000 IDs is used by default and if
> the RIDs become higher a new range should be added.
>
>
I think we have a winner. RID > 200,000. How do we properly increase this
limit? We tried increasing the id range in the freeipa ui from 200000 to
300000 for all of the domains but its not having an effect. Same
symptoms.
ah, sorry, I should have given some more details to 'a new range should
be added'.
SSSD does not support to modify an id-range at runtime because this
might change existing UIDs or GIDs. If you want to make the change
effective you have to stop SSSD on each IPA client and server, remove
the cache from /var/lib/sss/db, and start SSSD again. Then all IPA host
will use the modified id-range.
But SSSD supports adding a new id-range with 'ipa idrange-add ....' the
name should be unique, e.g. the name of the other range of the AD domain
with a '_2' suffix. The --base-id can be directly on top of the end of
the existing id-range, the --rid-base is 200000 and --dom-sid and
--dom-name are the same as for the existing id-range.
HTH
bye,
Sumit
>
> Thanks
> Marc