[SSSD-users] Could not convert objectSID [...] to a UNIX ID

Hi I have two users in the AD. Only one of them can login with ssh or su on the Linux server. The user admjoin is the one made the "realm join" and he can login: /var/log/sssd/sssd_corp.acme.com.log: Mapping user [AdmJoin] objectSID [S-1-5-21-2031436270-1094658265-1854952973-140256] to unix ID Adding original memberOf attributes to [AdmJoin]. And avgjoe can not login: Mapping user [AvgJoe] objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to unix ID Could not convert objectSID [S-1-5-21-2031436270-1094658265-1854952973-340002] to a UNIX ID Why can user avgjoe not log in? (and why are the ObjectSID the same (if relevant)?) Note that when doing a "su - avgjoe" the AD converts it to AvgJoe in log-file, as defined on the AD-server. I guess there is around 20000 users defined in the AD. User AdmJoin was created when the system was setup, and user AvgJoe is added recently (he might have a very high numeric id). [sssd] domains = corp.acme.com config_file_version = 2 services = nss, pam, ssh, sudo debug_level = 7 [domain/corp.acme.com] ad_domain = corp.acme.com krb5_realm = CORP.ACME.COM realmd_tags = manages-system joined-with-samba #cache_credentials = True cache_credentials = False id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad debug_level = 7 ldap_idmap_range_min = 200000 ldap_idmap_range_max = 2000200000 ldap_idmap_range_size = 200000 Any help is much appreciated. best regards Hans