Paul Nickerson via FreeIPA-users wrote: > I confirmed that users who had an ipaNTSecurityIdentifier attribute could log > in to the web UI, and those that did not have the ipaNTSecurityIdentifier > attribute could not. > > I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you > said: > [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] > into an unused SID. > [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > I found some nice documentation at https://access.redhat.com/solutions/394763 > > I used this command to see the ranges that I have configured: > ipa idrange-find > > And these two commands to see the UIDs of the users who had not yet been > given SIDs (some were inside the existing range; I think you're correct that > the process stops at the first error): > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# > requesting: " | sed 's/uidNumber: //' | sort -n > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b "cn=deleted > users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# > requesting: " | sed 's/uidNumber: //' | sort -n > > Here's some documentation on what ID and RID ranges are for: > https://www.freeipa.org/page/V3/ID_Ranges > > After doing a bunch of math and guess and check, I ran this: > ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 > --range-size=531251000 --rid-base=101000000 --secondary-rid-base=633000000 > > That gave me an additional range (confirmed with ipa idrange-find). I ran ipa > config-mod --enable-sid --add-sids again, saw no significant errors in > /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were > 0 users left with no ipaNTSecurityIdentifier. > > All users are all set now. Thank you again.
Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
