David, I had a very similar issue which I posted to the list today. Your notes indirectly helped me. I think we both had two ends to the same puzzle.
It looks like the range for your AD domain defined in ³ipa idrange-find ‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf. For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have ldap_idmap_range_min = 1824600000 ldap_idmap_range_size = 2000000 Setting these two identically let me resolve AD ID¹s with the id command. Hopefully this works for you too. From: <Guertin>, "David S." <guer...@middlebury.edu> Date: Tuesday, March 17, 2015 at 11:18 AM To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. When a user tries to SSH to the IPA server with AD credentials, the logs show: (Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x0400): Processing user guertin-s (Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID (Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID It seems that this is a problem with the ID range, but I can't see where the problem is. We increased the default ranges of 200,000 to 2,000,000, which I would think should be able to handle a RID of 245906: # ipa idrange-find --all ---------------- 2 ranges matched ---------------- dn: cn=CSNS.MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=e du Range name: CSNS.MIDDLEBURY.EDU_id_range First Posix ID of the range: 1824600000 Number of IDs in the range: 2000000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange dn: cn=MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu Range name: MIDDLEBURY.EDU_id_range First Posix ID of the range: 10000 Number of IDs in the range: 2000000 Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464 Range type: Active Directory trust range with POSIX attributes iparangetyperaw: ipa-ad-trust-posix objectclass: ipatrustedaddomainrange, ipaIDrange ---------------------------- Number of entries returned 2 ---------------------------- But the error remains. What am I missing? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project