[Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 18 06:23:09 UTC 2015
On Tue, 17 Mar 2015, Guertin, David S. wrote:
>> When you changed idrange, it helps to remove SSSD cache, both on IPA
>> master and IPA clients and restart SSSD.
>
>OK, I cleared the cache and restarted sssd with:
>
>sss_cache -E
>systemctl restart sssd
>
>Still no change in the error: Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID
>
>FWIW, here's my sssd.conf:
>
>[domain/csns.middlebury.edu]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = csns.middlebury.edu
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = genet.csns.middlebury.edu
>chpass_provider = ipa
>ipa_server = genet.csns.middlebury.edu
>ipa_server_mode = True
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>[domain/middlebury.edu]
>id_provider = ad
>auth_provider = ad
>chpass_provider = ad
>access_provider = ad
>debug_level = 10
Wait, why do you have middlebury.edu section here at all? If middlebury
is trusted by csns.middlebury.edu, you should not have a separate
[domain/middlebury.edu] section at all! The whole idea is that SSSD
discovers all domains over trusted forest link path automatically.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list