Hi, On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users < [email protected]> wrote:
> Thanks to Paul for all the leg work on this issue. Based on that, I can > confirm that we have the same problem after updating to 4.9.12-11 from > 4.9.11-7. Running the oddjob command to add SIDs to the user accounts fails > after encountering UIDs outside of the default IPA range. It was able to > get the admin account working though. We have 294 users with UIDs in the > range of 1001 to 99657. These were migrated from an ancient NIS domain when > the IPA domain was provisioned. We tried adding a secondary IPA range that > covers that scope: > > ipa idrange-add ID.EXAMPLE.COM_legacy_range --base-id=1000 > --range-size=98899 > > And then running the oddjob command again, but we get the sidgen errors > still, plus a error about overlapping rid ranges: > > [22/Jan/2024:15:09:50.398460268 -0800] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [22/Jan/2024:15:09:50.499604871 -0800] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [29034] into > an unused SID. > [22/Jan/2024:15:09:50.499960197 -0800] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [22/Jan/2024:15:09:50.503257753 -0800] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > [22/Jan/2024:15:09:55.035779436 -0800] - ERR - schema-compat-plugin - > warning: no entries set up under cn=computers, > cn=compat,dc=id,dc=example,dc=com > [22/Jan/2024:15:09:55.036238563 -0800] - ERR - schema-compat-plugin - > Finished plugin initialization. > [22/Jan/2024:15:47:04.969286883 -0800] - ERR - ipa_range_check_pre_op - > [file ipa_range_check.c, line 670]: New primary rid range overlaps with > existing primary rid range. > > I suspect that we may not have added the range correctly. We didn't pass > the --rid-base= or --secondary-rid-base= flags/values as we were not sure > what these values should be. > These values are important in order to generate the SIDs. Please read The role of security and relative identifiers in IdM ID ranges <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#con_the-role-of-security-and-relative-identifiers-in-idm-id-ranges_adjusting-id-ranges-manually> and Security Identifiers <https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html#security-identifiers> to understand how they are used. You need to pick values that do not conflict with the ones for your initial range. flo > > Any help would be much appreciated. > > Scott > > -----Original Message----- > From: Rob Crittenden via FreeIPA-users < > [email protected]> > Sent: Thursday, January 18, 2024 11:25 AM > To: FreeIPA users list <[email protected]> > Cc: Paul Nickerson <[email protected]>; Rob Crittenden <[email protected] > > > Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused > web UI login and ipa command to stop working > > Paul Nickerson via FreeIPA-users wrote: > > I confirmed that users who had an ipaNTSecurityIdentifier attribute > could log in to the web UI, and those that did not have the > ipaNTSecurityIdentifier attribute could not. > > > > I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like > you said: > > [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - > [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... > > [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] > into an unused SID. > > [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > > [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - > [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > > > I found some nice documentation at > > https://access.redhat.com/solutions/394763 > > > > I used this command to see the ranges that I have configured: > > ipa idrange-find > > > > And these two commands to see the UIDs of the users who had not yet been > given SIDs (some were inside the existing range; I think you're correct > that the process stops at the first error): > > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory > > Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" > > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > > "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H > > ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b > > "cn=deleted > > users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" > > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > > "# requesting: " | sed 's/uidNumber: //' | sort -n > > > > Here's some documentation on what ID and RID ranges are for: > > https://www.freeipa.org/page/V3/ID_Ranges > > > > After doing a bunch of math and guess and check, I ran this: > > ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 > > --range-size=531251000 --rid-base=101000000 > > --secondary-rid-base=633000000 > > > > That gave me an additional range (confirmed with ipa idrange-find). I > ran ipa config-mod --enable-sid --add-sids again, saw no significant errors > in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there > were 0 users left with no ipaNTSecurityIdentifier. > > > > All users are all set now. Thank you again. > > Glad to hear it and thank you for your detailed analysis. I think this > will be useful to other users that may run into this. > > rob > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
