> For troubleshooting this you need to enable debug_level=10 in sssd.conf in
> domain and pam sections. Restart sssd and try to login.

OK, this has pinpointed the problem. The log file now shows:

(Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] 
(0x1000): Mapping user [guertin-s] objectSID 
[S-1-5-21-1983215674-46037090-646806464-245906] to unix ID
(Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] 
(0x0080): Could not convert objectSID 
[S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID

It seems that this is due to incorrect ID range settings. So I have increased 
the ID range to 2,000,000, which ought to be enough for a RID of 245906:

# ipa idrange-find
2 ranges matched
  Range name: CSNS.MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 528800000
  Number of IDs in the range: 2000000
  First RID of the corresponding RID range: 1
  First RID of the secondary RID range: 2000001
  Range type: local domain range

  Range name: MIDDLEBURY.EDU_id_range
  First Posix ID of the range: 1000
  Number of IDs in the range: 2000000
  Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464
  Range type: Active Directory trust range with POSIX attributes
Number of entries returned 2

But the problem still persists. I cannot SSH in as a user (getent passwd, id, 
etc. all still do show the users).

David Guertin

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to