On Аўт, 23 сту 2024, Harald Dunkel via FreeIPA-users wrote:
Hi Soeren,
On 2024-01-23 14:06:11, Sören R. via FreeIPA-users wrote:
Hi Harri,
did you check your admin user, if the attribute is set?
# ipa user-show admin --all | grep ipantsecurityidentifier
The admin user has this attribute set, but my own account used to access the web interface hasn't. I am still trying to find a way how to add this ipantsecurityidentifier attribute to all users, but wasn't there some kind of builtin supposed to fix this automagically?
No, not automatically because it is a task that goes through all user accounts one by one and fixes them. It also requires to have properly defined ID ranges that cover all uidNumber/gidNumber in user/group entries.
One issue we identified today together with Fedora infrastructure team is that staged users (created with 'ipa stageuser-add') will prevent sidgen plugin to generate entries.
Still trying to find the right documentation.
All documentation was mentioned already in these threads. Please see at https://access.redhat.com/articles/7027037 for more details (needs RHEL subscription, including a free developer subscription).