SLES 12
Name resolution is pointing to sssd
/etc/nsswitch.conf contains configuration for sssd:
passwd: compat sss
group: compat sss
PAM is configured to sssd
/etc/pam.d/common-auth, common-account, common-password and common-session (or service specific files) contain pam_sss.so configuration
SSSD is configured with AD backend
/etc/sssd/sssd.conf contains:
id_provider = ad
auth_provider = ad
Error in /var/log/messages:
error: PAM: User not known to the underlying authentication module for <user.domain>
id for user doesn't resolve:
id: <user.domain>: no such user
Other users in the same domain can login and resolve via id
Adding debugging to sssd provides the following error in the /var/log/sssd/sssd_<sssd-domain>.log
(add debugging by adding: debug_level = 9 to the /etc/sssd/sssd.conf and restart sssd)
Could not convert objectSID [S-1-5-21-1785213684-45039090-656804464-345103] to a UNIX ID
The defaults for idmap are:
ldap_idmap_range_min = 200000
ldap_idmap_range_max = 2000200000
ldap_idmap_range_size = 200000
Added the following:
ldap_schema = ad
ldap_id_mapping = true
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000
After making changes to the idmap attributes, the cache files were removed and sssd restarted:
cache files are located at: /var/lib/sss/db
To restart sssd on SLES 12: systemctl restart sssd
The user objects that were failing to resolve have very large SID numbers which fell outside the configured range.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.