> Wait, why do you have middlebury.edu section here at all? If middlebury is > trusted by csns.middlebury.edu, you should not have a separate > [domain/middlebury.edu] section at all!
That was in there because in my increasingly desperate attempts to get this working, I actually read the documentation, and Section 2.4 of the RHEL 7 Windows Integration Guide says to create a new domain section for the Active Directory domain. Not knowing any better, I played along. I have removed that section, and now things are broken again. However, the "Could not convert objectSID to a UNIX ID" problem is solved -- it's now breaking elsewhere, but I don't know where yet. I've set debug_level = 10 everywhere, and don't see anything but success messages in the logs, until the user is disconnected. I should probably start another thread for that. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project