I have done some more investigations and with the debugging enabled, I can see the
following errors in the sssd_ipa.example.com.log on the IPA server (when I run id
<username> from an IPA client) :
2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_apply_default_override] (0x0080):
Override attribute for [gidNumber] has more [2] than one value, using only the first.
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0080): Cannot set
ts attrs for name=romai(a)example.com,cn=users,cn=EXAMPLE.com,cn=sysdb
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0200): Entry
[name=romai(a)example.com,cn=users,cn=EXAMPLE.com,cn=sysdb] has set [cache, ts_cache]
attrs.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request [Account
#247]: Request handler finished [0]: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP Request [Account
#247]: Receiving request data.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP Request
[Account #247]: Request removed.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): Number of
active DP request: 4
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP Request
[Account #247]: Returning [Success]: 0,0,Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] (0x0400):
sssd.dataprovider.getAccountInfo: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain
ipa.example.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain
EXAMPLE.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_srv_ad_acct_lookup_step] (0x0400):
Looking up AD account
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain
ipa.example.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain
EXAMPLE.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [ad_account_can_shortcut] (0x0080): Mapping
ID [20890] to SID failed: [IDMAP domain not found]
(2021-07-15 16:33:34): [be[ipa.example.com]] [ad_handle_acct_info_send] (0x0400): This ID
is from different domain
(2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_get_ad_acct_ad_part_done] (0x0080):
Object not found, ending request
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request [Account
#249]: Request handler finished [0]: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP Request [Account
#249]: Receiving request data.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP Request
[Account #249]: Request removed.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): Number of
active DP request: 3
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP Request
[Account #249]: Returning [Success]: 0,0,Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] (0x0400):
sssd.dataprovider.getAccountInfo: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [write_pipe_handler] (0x0400): All data has
been sent!
The issues seems to be within ad_account_can_shortcut function but I cannot figure out
what the real issue is.