This bug is created as a clone of upstream ticket:
In the "ID MAPPING" section of the manpage, the ldap_idmap_range_size should have a mention that the value should be atleast the user's corresponding RID on the AD Server.
e.g. for a user with objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, ldap_idmap_range_size should be atleast 1107. Lookups/enumeration for the user will not work if a value less than that is mentioned.
master - 13aea9c2b9c48dd614095b4551021868812ba2f0
Verified in version sssd-1.12.2-39.el7
sssd-ad manpage has:
NOTE: The value of this option must be at least as large as the
highest user RID planned for use on the Active Directory
server. User lookups and login will fail for any user whose RID
is greater than this value.
For example, if your most recently-added Active Directory user
“ldap_idmap_range_size” must be at least 1107.
It is important to plan ahead for future expansion, as changing
this value will result in changing all of the ID mappings on
the system, leading to users with different local IDs than they
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.