<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none"></style> </head> <body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. <span style="font-size: 12pt;">When a user tries to SSH to the IPA server with AD credentials, the logs show:</span></p> <p><span style="font-size: 12pt;"><br> </span></p> <div>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x0400): Processing user guertin-s</div> <div>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID</div> <div>(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID<br> </div> <p><span style="font-size: 12pt;"><br> It seems that this is a problem with the ID range, but I can't see where the problem is. We increased the default ranges of 200,000 to 2,000,000, which I would think should be able to handle a RID of 245906:</span></p> <p><span style="font-size: 12pt;"><br> </span></p> <div> <div># ipa idrange-find --all</div> <div>----------------</div> <div>2 ranges matched</div> <div>----------------</div> <div> dn: cn=CSNS.MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu</div> <div> Range name: CSNS.MIDDLEBURY.EDU_id_range</div> <div> First Posix ID of the range: 1824600000</div> <div> Number of IDs in the range: 2000000</div> <div> First RID of the corresponding RID range: 1000</div> <div> First RID of the secondary RID range: 100000000</div> <div> Range type: local domain range</div> <div> iparangetyperaw: ipa-local</div> <div> objectclass: top, ipaIDrange, ipaDomainIDRange</div> <div><br> </div> <div> dn: cn=MIDDLEBURY.EDU_id_range,cn=ranges,cn=etc,dc=csns,dc=middlebury,dc=edu</div> <div> Range name: MIDDLEBURY.EDU_id_range</div> <div> First Posix ID of the range: 10000</div> <div> Number of IDs in the range: 2000000</div> <div> Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464</div> <div> Range type: Active Directory trust range with POSIX attributes</div> <div> iparangetyperaw: ipa-ad-trust-posix</div> <div> objectclass: ipatrustedaddomainrange, ipaIDrange</div> <div>----------------------------</div> <div>Number of entries returned 2</div> <div>----------------------------</div> <div><br> But the error remains. What am I missing?<br> </div> </div> <div><br> </div> <div>David Guertin<br> </div> </body> </html>