I have done some more investigations and with the debugging enabled, I can see the following errors in the sssd_ipa.example.com.log on the IPA server (when I run id <username> from an IPA client) :
2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_apply_default_override] (0x0080): Override attribute for [gidNumber] has more [2] than one value, using only the first. (2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=ro...@example.com,cn=users,cn=EXAMPLE.com,cn=sysdb (2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0200): Entry [name=ro...@example.com,cn=users,cn=EXAMPLE.com,cn=sysdb] has set [cache, ts_cache] attrs. (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request [Account #247]: Request handler finished [0]: Success (2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP Request [Account #247]: Receiving request data. (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP Request [Account #247]: Request removed. (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): Number of active DP request: 4 (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP Request [Account #247]: Returning [Success]: 0,0,Success (2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain ipa.example.com is Active (2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain EXAMPLE.com is Active (2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain ipa.example.com is Active (2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain EXAMPLE.com is Active (2021-07-15 16:33:34): [be[ipa.example.com]] [ad_account_can_shortcut] (0x0080): Mapping ID [20890] to SID failed: [IDMAP domain not found] (2021-07-15 16:33:34): [be[ipa.example.com]] [ad_handle_acct_info_send] (0x0400): This ID is from different domain (2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request [Account #249]: Request handler finished [0]: Success (2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP Request [Account #249]: Receiving request data. (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP Request [Account #249]: Request removed. (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): Number of active DP request: 3 (2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP Request [Account #249]: Returning [Success]: 0,0,Success (2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2021-07-15 16:33:34): [be[ipa.example.com]] [write_pipe_handler] (0x0400): All data has been sent! The issues seems to be within ad_account_can_shortcut function but I cannot figure out what the real issue is. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure