I recently upgraded to 1.11.7 on my RHEL 6.5 box and have a problem getting sssd work as the conversion from objectSID to Unix IDs fails. With a debug level of 9 (this is the same config that worked in previous versions < 1.11.7 against the same AD forest), I see the below in sssd domain logs:
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_get_primary_name] (0x0400): Processing object chantri
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0400): Processing user chantri
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x1000): Mapping user [chantri] objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to unix ID
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1611181143-1305343219-1050001001-2353897] to a UNIX ID
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_user] (0x0020): Failed to save user [chantri]
(Mon Oct 13 16:03:32 2014) [sssd[be[dbg]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
I tried with both the AD and LDAP providers but get the same error. I'm mostly using the defaults in the domains section of sssd.conf. Snippet below:
[domain/test]
id_provider = ad
access_provider = ad
ldap_id_mapping = true
dyndns_update = false
krb5_keytab = /etc/sssd/abcd.keytab
ldap_schema = ad
Would appreciate if you could provide some guidance here. Do I have to tweak the idmap ranges with v1.11.7? The RIDs in my AD forest are in the 200k to 3000k range.
Best Regards,
Prajwal Kumar