We use SSSD to integrate RHEL7 into our Active Directory infrastructure for authentication. All users in the sys admins group can login with their AD credentials except one. It took me a few weeks to troubleshoot.
On hand, I checked the sssd log and I can see the Linux server can find the user in the AD, but somehow it can not read the attributes of this user. On the other hand, I see the domain controller responds correctly to the Linux request per the captured packets in Wireshark.
Finally, I figured it out today. It turns out to be a bug in the version of SSSD (1.12.2-58) that is running in our RHEL7.1. The SSSD process can not handle the AD account which objectGUI starts with zero. The bug had been reported, and will be fixed in the latest version I think. The current workaround is to tell SSSD not to read the objectGUI from AD by adding ‘ldap_user_uuid = notExistingAttributeName‘ in the sssd.conf.
One thought on “SSSD can not find some users in AD”