centos 7 login failed

Side node -rw-r----- should be set for /etc/shadow (without the sgid etc. bits). ( mode 640 ).

Then any tool on unix/linux will use library calls like: gethostbyip() getpasswd(),  etc.
On the command line: the getent program facilitates these type of queries (and can be used to debug data)...

getent passwd username  (or uid)    - should provide a line like in the passwd file (even if coming from an IPA.)
getent shadow username      
getent group groupname (or gid)
getent gshadow groupname
(for ordinary users shadow, gshadow will not deliver data).

getent can also be used to check for hostnames , ipaddresses etc. ( use: getent --help for more info).
If those work su etc. should also work.
If getent queries work, any program will work.

[ su may have other extra options if pam is in play, and it probably is.. ]

along noci's suggestion.
Does the gid being return a valid gid on this system?

Is the response to id is the group name shown or just a number

Does the gid exist on the ipa's LDAP as a valid group?

i think it must be /etc/shadow i change it to 644 but when i say getent shadow "username" return nothing
only enent passwd return
 getent passwd admin
admin:*:1343200000:1343200000:Administrator:/home/admin:/bin/bash
[root@ipa ~]# getent gshadow admin  return nothing
and getent group admin  return nothing

@arnold. what i can see in ipa  uid and gid is the same as i can see in getent passwd  "username or id username

Shadow SHOULD NEVER return anything for an ordinary user. ONLY root MAY access these file...
gshadow , shadow should have 640 protection.!!!
This is a FUNDAMENTAL security requirement.

After you are root, you can use getent shadow.   getent gshadow.

Those are huge groupnumbers...., these numbers were once defined to be 16 bit unsigned integers...  modern  linux systems allow 32bit unsigned entities. (0 .. 4e9)
Yours (1e9) do still fit on 64bit linux.

You should have groups in the IPA LDAP that matches the gid.

Usually, when creating users, a user is assigned to a group, such as users. If -g groupid is not specified the process will create a new group the same as the username.

Update this username's gid to one that exists in /etc/groups or add a group using the gid on the line.

Try wbinfo -g this will get/list groupss through samba.

wbinfo -g/u is for winbind. here in ipa automatically installed sssd.  normally in samba active directory i create a user in ad and give a existing group in samba not group in unix. all ad group not showing in /etc/group.
here i did the same i have an unixadmins group and create one user in this group. when i asking id
id "username" all is correct but when i try to login as user ihave error
"su: cannot set groups: Invalid argument"

getent group gid   ( f.e. getent group 1343200000 )
getend group groupname

(use your own for gid/groupname ) what do they return?
If they give errors or wrong values the integration with ad doesn't work for groups.

getent group 1343200000
admins:*:1343200000:admin
but
root@ipa ~]# getent group admin
[root@ipa ~]#

return nothing.

Correct the group is call admins

ok ipa do nothing about "ad" now. right now is standalone.
but you are right. gentent group admin return nothing.
ok here is something  wrong. getent group unixadmins return my user and admin. but admin is group and not in subgroup for unixadmins.
i just confuse  :-(

no i do not have admins. i have admin in my ipa

oh righr i underestand now it's admins ofcourse

Then it return correct
getent group 1343200000
return admin and my user
and
getent group admins
return
admins:*:1343200000:admin,bas

i can see ipa is not working i delete user and i ask id in centos user is still there, but not in ipa ldap.

grep admin's /etc/groups

You might have two similarly named group with different gids.
Reserved groups which i think admin/s might be one

Try using strace  -f su -username to see when the error shows up..

one thing to try is sudo -s -u username  as an alternative to su -  username and see if it generates the same error.

going on the assumption that either the group could not be identified from the GID or the GID is large.

@noci. it's correct i managed group id and user id down to 100001 ad group and 1000010 as uid
Then i can connect to linux. i make lxd privileged. ( lxc config set ipa security.privileged true) and
lxc config get ipa security.privileged  return true
but how to set rang for group and id to what i want?  f.x i want
id: container_id(0) -> host_id(100000)
..
..
container_id(100000) -> host_id(200000)
or something like that.

my config show now:
lxc config show ipa
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Centos 7 amd64 (20190922_07:08)
  image.os: Centos
  image.release: "7"
  image.serial: "20190922_07:08"
  image.type: squashfs
  security.privileged: "true"
  volatile.base_image: e39b956eaabc520ad7d3a4060f45dc54f53dfe92b1f73cc71a35df9533b61c2a
  volatile.eth0.hwaddr: 00:16:3e:a9:d8:71
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: STOPPED
devices: {}
ephemeral: false
profiles:
- lanprofile
stateful: false
description: ""

Thanks issue is solved.