Fix idmap Range Mismatch on Ubuntu 20.04 (sssd) and CentOS 7

active-directoryauthenticationsssdubuntu-20.04user-management

My Active Directory maps in Ubuntu systems are very long compared to my CentOS IDs The last 4 digits match but Ubunutu seems to be adding a lot more to the beginning.

In CentOS winbind/samba I used a range to get the IDs I needed:

    idmap config * : range = 10000-20000
    idmap config * : backend = tdb
    idmap config MYDOMAIN : default = yes
    idmap config MYDOMAIN : range = 10000-24999999
    idmap config MYDOMAIN : backend = rid

Which would produce an ID like 11695 on Centos

Ubuntu 20.04 produces guid/uid of 1558801695, which adds 155880 and removed the leading 1 from 11695.

How can I format Ubuntu's sssd config to give me what I need. All my files and folders are tagged with the Centos IDs and CentOS does not recognize these longer ones?

I hope I explained this ok.

Thanks 🙂

Best Answer

You are going to want to read up on SSSD's ID Mapping. To duplicate the rid generated ids then you will need to set a default domain in SSSD and configure the id ranges to match.

I believe these SSSD settings will match your samba config

ldap_id_mapping = true
ldap_schema = ad
ldap_idmap_default_domain_sid = S-1-5-21-REDACTED
ldap_idmap_range_min = 10000
ldap_idmap_range_max = 24999999

You will need to get your Active Directory SID for the ldap_idmap_default_domain_sid value. You might be able to get this from the CentOS box with the command net getdomainsid. I have not gotten the related ldap_idmap_default_domain setting to work.

If you are setting up Samba on the Ubuntu server then you can unify the ids by using the idmap_sss backend for Winbind.

When changing id mapping settings in SSSD it is best to completely clear the local cache to see what effect the changes had.

systemctl stop sssd
rm /var/lib/sss/{db,mc}/*
sss_cache -E
# optionally clear debug logs
truncate -s 0 /var/log/sssd/*.log
systemctl start sssd
Related Topic