Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-18 Thread Alexander Bokovoy
On Wed, 18 Mar 2015, Guertin, David S. wrote: Wait, why do you have middlebury.edu section here at all? If middlebury is trusted by csns.middlebury.edu, you should not have a separate [domain/middlebury.edu] section at all! That was in there because in my increasingly desperate attempts to get

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-18 Thread Guertin, David S.
Wait, why do you have middlebury.edu section here at all? If middlebury is trusted by csns.middlebury.edu, you should not have a separate [domain/middlebury.edu] section at all! That was in there because in my increasingly desperate attempts to get this working, I actually read the

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-18 Thread Alexander Bokovoy
On Tue, 17 Mar 2015, Guertin, David S. wrote: When you changed idrange, it helps to remove SSSD cache, both on IPA master and IPA clients and restart SSSD. OK, I cleared the cache and restarted sssd with: sss_cache -E systemctl restart sssd Still no change in the error: Could not convert

[Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. When a user tries to SSH to the IPA server with AD credentials, the logs show: (Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]]

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
I don't think sss_cache -E removes cached idrange objects. You need to delete the databases in /var/lib/sss/db/. OK, I stopped sssd, removed everything in /var/lib/sss/db, and restarted sssd. Still no change -- I get the same error. You mean RHEL 7.1, right? Yes, RHEL 7.1. David Guertin

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread David Guertin
On 03/17/2015 08:30 PM, Gould, Joshua wrote: It looks like the range for your AD domain defined in ³ipa idrange-find ‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf. For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have ldap_idmap_range_min = 182460

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Gould, Joshua
: Tuesday, March 17, 2015 at 11:18 AM To: freeipa-users@redhat.com freeipa-users@redhat.com Subject: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
When you changed idrange, it helps to remove SSSD cache, both on IPA master and IPA clients and restart SSSD. OK, I cleared the cache and restarted sssd with: sss_cache -E systemctl restart sssd Still no change in the error: Could not convert objectSID