SUSE Support

Here When You Need Us

sssd to AD fails to resolve some users

This document (7018640) is provided subject to the disclaimer at the end of this document.

Environment

SLES 12

Name resolution is pointing to sssd
/etc/nsswitch.conf contains configuration for sssd:

passwd:  compat sss
group:  compat sss

PAM is configured to sssd
/etc/pam.d/common-auth, common-account, common-password and common-session (or service specific files) contain pam_sss.so configuration

SSSD is configured with AD backend
/etc/sssd/sssd.conf contains:
id_provider = ad
auth_provider = ad





Situation

Error in /var/log/messages:
error: PAM: User not known to the underlying authentication module for <user.domain>

id for user doesn't resolve:
id: <user.domain>: no such user

Other users in the same domain can login and resolve via id

Adding debugging to sssd provides the following error in the /var/log/sssd/sssd_<sssd-domain>.log  
(add debugging by adding:  debug_level = 9 to the /etc/sssd/sssd.conf and restart sssd)

Could not convert objectSID [S-1-5-21-1785213684-45039090-656804464-345103] to a UNIX ID


Resolution

The defaults for idmap are:

ldap_idmap_range_min = 200000
ldap_idmap_range_max = 2000200000
ldap_idmap_range_size = 200000

Added the following:

ldap_schema = ad
ldap_id_mapping = true
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000

After making changes to the idmap attributes, the cache files were removed and sssd restarted:

cache files are located at:  /var/lib/sss/db

To restart sssd on SLES 12:  systemctl restart sssd


Cause

The user objects that were failing to resolve have very large SID numbers which fell outside the configured range.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018640
  • Creation Date: 17-Feb-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.