Hi Jakub, thank you for help.
I cannot resolve all of the users nor their groups on a client hosts. getent passwd
doesn't return anything, su - user(a)ad.domain doesn't work either.
All AD users I tried get resolved on the FreeIPA servers. For the one account it gets
resolved on one client host but on another client host it fails.
Oddly, I can see in server's /var/log/sssd/ad_domain.log that upon issuing su -
user(a)ad.domain on a client host group membership is being resolved. User is not resolved
on the client host though.
The only suspicious thing I can find in the logfiles is this entry but I do not know if it
is the culprit or not:
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_error_to_errno] (0x0020): LDB
returned unexpected error: [No such attribute]
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_mod_group_member] (0x0400):
Error: 14 (Bad address)
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_update_members_ex] (0x0020):
Could not remove member [user(a)ad.domain] from group
[name=some_group(a)ad.domain,cn=groups,cn=ad.domain,cn=sysdb]. Skipping
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] (0x1000): Domain
ipa.domain is Active
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] (0x1000): Domain
ad.domain is Active
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): start ldb transaction
(nesting: 1)
(Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x55bdb