SSSD on Centos, Active Directory search returns zero results

Basic Info

I'm running sssd (1.13.3-22) on Centos (6.8) to authenticate with Active Directory (2012). I do not wish to use uid numbers stored in AD, so I have ldap_id_mapping set to true.

When I run "id ValidUsername" I get the response "No Such User". I look in the sssd domain log and see the ldap search for ValidUsername returned no results. When I run the same query with ldapsearch it also returns no results, but I can modify the query to exclude uidNumber and it will return a result. See details below for ldap query info.

Detailed Info

sssd_VALID.DOMAIN.CORP.log Snippet

[sdap_search_user_next_base] (0x0400): Searching for users with base [DC=valid,DC=domain,DC=corp]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=valid,DC=domain,DC=corp].
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
[sysdb_search_by_name] (0x0400): No such entry
[sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
[be_ptask_online_cb] (0x0400): Back end is online

The ldap query sssd used is listed in the log at [sdap_get_generic_ext_step]. If I take the same query and test it by running ldap search, I also get no result:

ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))'

However, if I remove the uidNumber lookup parts of the query, I get the expected user data as a result:

ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*))'

If ldap_id_mapping is set to true, why is sssd querying AD for uidNumber data? I checked the user attributes and the uidNumber attribute has no value, so sssd won't work unless I populate this value. Microsoft is deprecating the management tools for unix attributes, so I'd prefer to not bother with them.

I'd don't want to use winbind, which has been flaky for me in the past.

Is there any config item I can use to force sssd to send a valid user lookup query? Or is there something else I'm missing?

sssd.conf

[sssd]
config_file_version = 2
debug_level = 6
domains = VALID.DOMAIN.CORP
services = nss, pam

[nss]
debug_level = 6

[pam]
debug_level = 6

[domain/VALID.DOMAIN.CORP]
debug_level = 8

id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
subdomains_provider = none

dyndns_update = false

ad_server = dc1.VALID.DOMAIN.corp
ad_backup_server = dc2.VALID.DOMAIN.corp

ldap_id_mapping = true
ldap_schema = ad

fallback_homedir = /home/%d/%u
default_shell = /bin/bash

smb.conf

workgroup = VALID
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = VALID.DOMAIN.CORP
security = ads
log file = /var/log/samba/log.%m
max log size = 50

You're correct, I have subdomains_provider set to none due to firewall rules between me and the domain controllers for the parent "DOMAIN.CORP". I chose option two: use ldap_idmap_default_domain_sid to manually specify the domain SID. I'll use ad_enabled_domains when we switch to 7.

I used the powershell cmdlet Get-ADDomain to obtain the domain sid

I'm glad it works, btw we are also backporting ad_enabled_domains to RHEL-6.9 due to "popular demand".