Hi,
I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting sssd work as the conversion from objectSID to Unix IDs fails. With a debug level of 9 (this is the same config that worked in previous versions < 1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] (0x0400): Processing object chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): Processing user chantri (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): Mapping user [chantri] objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): Failed to save user [chantri] (Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm mostly using the defaults in the domains section of sssd.conf. Snippet below:
[domain/test] id_provider = ad access_provider = ad ad_server = example.test.abcd.com ad_domain = test.abcd.com ldap_id_mapping = true dyndns_update = false krb5_keytab = /etc/sssd/abcd.keytab ldap_schema = ad ldap_idmap_default_domain = test.abcd.com
Would appreciate if you could provide some guidance here. Do I have to tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the 200k to 3000k range.
Best Regards, Prajwal Kumar