[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

Fri, 12 May 2023 05:30:42 -0700 

On Fri, May 12, 2023 at 02:32:48PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> Please check whether this user had SID from IPA domain. There might also be
> a problem allocating SIDs, due to incorrect or missing ID range for this
> user's POSIX ID. In that case there could be sidgen plugin errors in dirsrv
> errorlog.

I've got two users where I'm seeing this - neither have an
'ipaNTSecurityIdentifier' attribute. My (disabled) 'admin' user does
have the attribute (with the expected RID of 500).

I can't see any lines with 'sid' in the dirsrv error log file either.
The sidgen plugin is enabled...

    # ldapsearch -Q -LLL -o ldif-wrap=no -Y EXTERNAL -H 
ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket  -s base -b 'cn=IPA 
SIDGEN,cn=plugins,cn=config'
    dn: cn=IPA SIDGEN,cn=plugins,cn=config
    cn: IPA SIDGEN
    nsslapd-basedn: dc=ipa,dc=robots,dc=org,dc=uk
    nsslapd-plugin-depends-on-type: database
    nsslapd-pluginDescription: Add a SID to newly added or modified objects 
with uid pr gid numbers
    nsslapd-pluginEnabled: on
    nsslapd-pluginId: IPA SIDGEN postop plugin
    nsslapd-pluginInitfunc: ipa_sidgen_init
    nsslapd-pluginPath: libipa_sidgen
    nsslapd-pluginType: postoperation
    nsslapd-pluginVendor: FreeIPA project
    nsslapd-pluginVersion: FreeIPA/1.0
    objectClass: top
    objectClass: nsSlapdPlugin
    objectClass: extensibleObject

Shall I run the SIDgen task as documented at
<https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging>
or is there any extra info I can dig up first to find out why this
didn't run on upgrade?

Wait, according to that page, after upgrading I have to run 'ipa
config-mod --enable-sids'... is that right?

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to