Hi
I have two users in the AD. Only one of them can login with ssh or su on the Linux
server.
The user admjoin is the one made the "realm join" and he can login:
/var/log/sssd/sssd_corp.acme.com.log:
Mapping user [AdmJoin] objectSID [S-1-5-21-2031436270-1094658265-1854952973-140256] to
unix ID
Adding original memberOf attributes to [AdmJoin].
And avgjoe can not login:
Mapping user [AvgJoe] objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to unix
ID
Could not convert objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to a UNIX
ID
Why can user avgjoe not log in?
(and why are the ObjectSID the same (if relevant)?)
Note that when doing a "su - avgjoe" the AD converts it to AvgJoe in log-file,
as defined on the AD-server.
I guess there is around 20000 users defined in the AD. User AdmJoin was created when the
system was setup, and user AvgJoe is added recently (he might have a very high numeric
id).
[sssd]
domains =
corp.acme.com
config_file_version = 2
services = nss, pam, ssh, sudo
debug_level = 7
[
domain/corp.acme.com]
ad_domain =
corp.acme.com
krb5_realm =
CORP.ACME.COM
realmd_tags = manages-system joined-with-samba
#cache_credentials = True
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level = 7
ldap_idmap_range_min = 200000
ldap_idmap_range_max = 2000200000
ldap_idmap_range_size = 200000
Any help is much appreciated.
best regards
Hans