> For troubleshooting this you need to enable debug_level=10 in sssd.conf in > domain and pam sections. Restart sssd and try to login.
OK, this has pinpointed the problem. The log file now shows: (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID It seems that this is due to incorrect ID range settings. So I have increased the ID range to 2,000,000, which ought to be enough for a RID of 245906: # ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: CSNS.MIDDLEBURY.EDU_id_range First Posix ID of the range: 528800000 Number of IDs in the range: 2000000 First RID of the corresponding RID range: 1 First RID of the secondary RID range: 2000001 Range type: local domain range Range name: MIDDLEBURY.EDU_id_range First Posix ID of the range: 1000 Number of IDs in the range: 2000000 Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464 Range type: Active Directory trust range with POSIX attributes ---------------------------- Number of entries returned 2 ---------------------------- But the problem still persists. I cannot SSH in as a user (getent passwd, id, etc. all still do show the users). David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project