On Tue, 17 Mar 2015, Guertin, David S. wrote:
When you changed idrange, it helps to remove SSSD cache, both on IPA
master and IPA clients and restart SSSD.


OK, I cleared the cache and restarted sssd with:

sss_cache -E
systemctl restart sssd

Still no change in the error: Could not convert objectSID 
[S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID

FWIW, here's my sssd.conf:

[domain/csns.middlebury.edu]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = csns.middlebury.edu
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = genet.csns.middlebury.edu
chpass_provider = ipa
ipa_server = genet.csns.middlebury.edu
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

[domain/middlebury.edu]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
debug_level = 10
Wait, why do you have middlebury.edu section here at all? If middlebury
is trusted by csns.middlebury.edu, you should not have a separate
[domain/middlebury.edu] section at all! The whole idea is that SSSD
discovers all domains over trusted forest link path automatically.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to