On Пан, 29 сту 2024, Melissa Ferreira da Silva Boiko via FreeIPA-users wrote:
Hi,
I'm trying to upgrade an ancient master replica (the CA master) running FreeIPA 4.5 on CentOS 7.4. Upgrading the freeipa packages in-place (in a cloned VM) caused numerous problems so I'm trying to create a new master replica on a fresh Fedora 39, using the "Migrating to different platform or OS" procedure described on https://www.freeipa.org/page/Howto/Migration
At first sight the new replica appears to work, but user creation fails, both on the web and command-line, with:
ipa user-add --first=Testy --last=McTestface teste123 ipa: ERROR: missing attribute "sambaSID" required by object class "sambaSamAccount"
Web searches seem to suggest this is due to a missing DNA plugin that should autogenerate the sambaSIDs, but I failed to find a guide on how to enable that plugin with current IPA (4.11). Should it be enabled automatically?
Unless it's used for something internal to IPA I don't think we actually are even using AD integration or SMB shares, so removing Samba support altogether would also be an option, but I don't know what's the safe way of doing that to the schema either.
Looks like your old deployment had been using custom object classes and attributes. FreeIPA does not use sambaSID and sambaSamAccount at all. These attributes and object classes are part of IPA setup but they aren't used.
FreeIPA uses different set of attributes/object classes for storing SID-related information for more than a decade. That information is now mandatory to prevent a number of impersonation attacks that could be possible in a Kerberized environment without MS-PAC structures in Kerberos tickets.
Since 'sambaSID' is not used by IPA, it is probably something that your deployment has been using to add by default. Can you show output of
$ ipa config-show --all --raw
?