[Freeipa-users] Re: Users without an ipaNTSecurityIdentifier cannot authenticate on the new replica server

Tue, 15 Jul 2025 11:16:37 -0700 

Dear,

Thanks, I've seen that freeipa-server-master.domain.com is set.

ipa-replica-manage dnarange-show
freeipa-repl01.domain.com: 748451708-748458499
freeipa-repl02.domain.com: 748476502-748488999
freeipa-server-master.domain.com: 748458501-748464499

[root@freeipa-server-master /]# ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
  dn: cn=DOMAIN.COM_id_range,cn=ranges,cn=etc,dc=domain,dc=com
  cn: DOMAIN.COM_id_range
  ipabaseid: 748400000
  ipaidrangesize: 200000
  ipabaserid: 1000
  ipasecondarybaserid: 100000000
  iparangetype: ipa-local
  objectclass: top
  objectclass: ipaIDrange
  objectclass: ipaDomainIDRange

  dn: cn=DOMAIN.COM_subid_range,cn=ranges,cn=etc,dc=domain,dc=com
  cn: DOMAIN.COM_subid_range
  ipabaseid: 2147483648
  ipaidrangesize: 2147352576
  ipabaserid: 2147283648
  ipanttrusteddomainsid: S-1-5-21-738065-838566-263965391
  iparangetype: ipa-ad-trust
  objectclass: top
  objectclass: ipaIDrange
  objectclass: ipaTrustedADDomainRange
----------------------------
Number of entries returned 2
----------------------------
So, when I've executed command ipa config-mod --enable-sid --add-sids on the 
server freeipa-server-master it show:
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: domain.com.vn
  Search time limit: 2
  Search size limit: 10000
  User search fields: uid,givenname,sn,mail,fasIRCNick
  Group search fields: cn,description
  Enable migration mode: False
  Certificate Subject base: O=DOMAIN.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: 
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  Default user authentication types: password
  IPA masters: freeipa-repl01.domain.com, freeipa-repl02.domain.com, 
freeipa-server-master.domain.com
  IPA master capable of PKINIT: freeipa-repl01.domain.com, 
freeipa-repl02.domain.com, freeipa-server-master.domain.com
  IPA CA servers: freeipa-repl01.domain.com, freeipa-repl02.domain.com, 
freeipa-server-master.domain.com
  IPA CA renewal master: freeipa-repl02.domain.com 
But all users without an ipaNTSecurityIdentifier are not generated and unable 
to log in to the WebUI on the freeipa-server-master (the new replica server)
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to