[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

[GoNiS via FreeIPA-users]

Thanks Rob!

When I look into the error log I see:
...

[13/Jun/2023:18:30:53.058701401 +0200] - ERR - schema-compat-plugin - 
scheduled schema-compat-plugin tree scan in about 5 seconds after the 
server startup!
[13/Jun/2023:18:30:53.078910058 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.081500273 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.084253592 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=keys,cn=sec,cn=dns,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.086865691 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.089468791 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.092068944 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=groups,cn=compat,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.094507326 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=computers,cn=compat,dc=hep,dc=uniovi,dc=es does not 
exist
[13/Jun/2023:18:30:53.096914953 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=ng,cn=compat,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.099463420 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target ou=sudoers,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.102039228 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=users,cn=compat,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.104762312 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.107239054 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.109782955 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.112299485 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.115404234 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.117701343 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.119978509 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.122198973 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.124391291 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.126577163 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.129501045 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist
[13/Jun/2023:18:30:53.156125691 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hep,dc=uniovi,dc=es does not 
exist
[13/Jun/2023:18:30:53.158550399 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hep,dc=uniovi,dc=es does not 
exist
[13/Jun/2023:18:30:53.281641571 +0200] - WARN - NSACLPlugin - acl_parse 
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config 
does not exist
[13/Jun/2023:18:30:53.291514083 +0200] - INFO - slapi_vattrspi_regattr - 
Because krbPwdPolicyReference is a new registered virtual attribute , 
nsslapd-ignore-virtual-attrs was set to 'off'
[13/Jun/2023:18:30:53.294705207 +0200] - ERR - cos-plugin - 
cos_dn_defs_cb - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=hep,dc=uniovi,dc=es--no CoS Templates found, which 
should be added before the CoS Definition.
[13/Jun/2023:18:30:53.368375597 +0200] - ERR - schema-compat-plugin - 
schema-compat-plugin tree scan will start in about 5 seconds!
[13/Jun/2023:18:30:53.371558464 +0200] - INFO - slapd_daemon - slapd 
started.  Listening on All Interfaces port 389 for LDAP requests
[13/Jun/2023:18:30:53.373717263 +0200] - INFO - slapd_daemon - Listening 
on All Interfaces port 636 for LDAPS requests
[13/Jun/2023:18:30:53.375812804 +0200] - INFO - slapd_daemon - Listening 
on /run/slapd-HEP-UNIOVI-ES.socket for LDAPI requests
[13/Jun/2023:18:30:53.684208319 +0200] - ERR - sidgen_task_thread - 
[file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[13/Jun/2023:18:30:53.715940639 +0200] - ERR - find_sid_for_ldap_entry - 
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [10000] 
into an unused SID.
[13/Jun/2023:18:30:53.718204134 +0200] - ERR - do_work - [file 
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[13/Jun/2023:18:30:53.720659122 +0200] - ERR - sidgen_task_thread - 
[file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
[13/Jun/2023:18:30:58.389970158 +0200] - ERR - schema-compat-plugin - 
warning: no entries set up under ou=sudoers,dc=hep,dc=uniovi,dc=es
[13/Jun/2023:18:30:58.392957245 +0200] - ERR - schema-compat-plugin - 
warning: no entries set up under cn=ng, cn=compat,dc=hep,dc=uniovi,dc=es
[13/Jun/2023:18:30:58.468087968 +0200] - ERR - schema-compat-plugin - 
warning: no entries set up under cn=computers, 
cn=compat,dc=hep,dc=uniovi,dc=es
[13/Jun/2023:18:30:58.470451507 +0200] - ERR - schema-compat-plugin - 
Finished plugin initialization.
...

The last few lines seems to be the more important, right? Unfortunatelly 
I don't know how to fix it or why this is  causing a problem after the 
last update. Any help or hint is very much welcome.

Isidro

El 13/06/2023 a las 16:34, Rob Crittenden escribió:
GoNiS via FreeIPA-users wrote:
I tried the trick of running:

ipa config-mod --add-sids --enable-sid

on my 2 ipa servers (one in 8 and one in 9) and it did not cure the
authentication problem for my clients hitting the newest sever.

The disable_pac=true trick did the work, but it is unsafe.

I wonder if I need to issue the ipa idrange... command as proposed by
Charles some messages above.
You should look in /var/log/dirsrv/slapd-REALM/error_log to see if the
sids enablement ran into problems. It should tell you where it failed,
if it did.

rob

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue