Hello, I had a similar issue with alma9/ipa 4.10 server and wasn't able to authenticate on specific resources (virtual machines) and my problem was that on some of them (debians) there was a missing configuration for hostname. On other parts of infra (alma8/9) the issue was out of sync clock - had to re-adjust zone settings for (alma8 only) few vms and syncing clock made both alma8/9 vms to work properly. I'm almost sure that you've check this, but had to share my last experience with IPA
On Fri, May 12, 2023 at 3:46 PM Alexander Bokovoy via FreeIPA-users < [email protected]> wrote: > Correct, run the task, it will produce some output in the dirsrv errorlog. > > On Friday, May 12, 2023, Sam Morris <[email protected]> wrote: > > On Fri, May 12, 2023 at 02:32:48PM +0300, Alexander Bokovoy via > FreeIPA-users wrote: > >> Please check whether this user had SID from IPA domain. There might > also be > >> a problem allocating SIDs, due to incorrect or missing ID range for this > >> user's POSIX ID. In that case there could be sidgen plugin errors in > dirsrv > >> errorlog. > > > > I've got two users where I'm seeing this - neither have an > > 'ipaNTSecurityIdentifier' attribute. My (disabled) 'admin' user does > > have the attribute (with the expected RID of 500). > > > > I can't see any lines with 'sid' in the dirsrv error log file either. > > The sidgen plugin is enabled... > > > > # ldapsearch -Q -LLL -o ldif-wrap=no -Y EXTERNAL -H > ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -s base -b 'cn=IPA > SIDGEN,cn=plugins,cn=config' > > dn: cn=IPA SIDGEN,cn=plugins,cn=config > > cn: IPA SIDGEN > > nsslapd-basedn: dc=ipa,dc=robots,dc=org,dc=uk > > nsslapd-plugin-depends-on-type: database > > nsslapd-pluginDescription: Add a SID to newly added or modified > objects with uid pr gid numbers > > nsslapd-pluginEnabled: on > > nsslapd-pluginId: IPA SIDGEN postop plugin > > nsslapd-pluginInitfunc: ipa_sidgen_init > > nsslapd-pluginPath: libipa_sidgen > > nsslapd-pluginType: postoperation > > nsslapd-pluginVendor: FreeIPA project > > nsslapd-pluginVersion: FreeIPA/1.0 > > objectClass: top > > objectClass: nsSlapdPlugin > > objectClass: extensibleObject > > > > Shall I run the SIDgen task as documented at > > < > https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging > > > > or is there any extra info I can dig up first to find out why this > > didn't run on upgrade? > > > > Wait, according to that page, after upgrading I have to run 'ipa > > config-mod --enable-sids'... is that right? > > > > -- > > Sam Morris <https://robots.org.uk/> > > PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 > > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
