I'm not sure that we do need it... I think it was put in the config as a placeholder
for old accounts on legacy systems when deciding on how UID ranges should be mapped when
we ultimately migrate to a FreeIPA domain that trusts our AD forest. We're having some
issues getting permission from the AD managers to set up the required trust, but
that's another story. Until that's ironed out, we are joining systems to the
domain with "realm" using the SID<->UID mapping that FreeIPA will use.
I've found a workaround for the bug for us. If I just comment out the
"max_id" line in domain/local, then everything goes back to normal. With only a
small number of IDs in local, and anything imported from legacy systems well below the
start of the SID mapping, I don't think we need to try and enforce the upper limit.
Thanks,
David