Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Hi,
I'm encountering the same issue after upgrading to 4.9.12. I had previously imported users from another FreeIPA deployment and their UIDs were outside of the defined ID ranges. I've created a new ID range to encompass these and run the following but the SIDs still don't get generated: ]# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name DOMAIN-NAME --add-sids Configuring SID generation [1/8]: creating samba domain object Samba domain object already exists [2/8]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/8]: adding RID bases RID bases already set, nothing to do [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task Sidgen task plugin already configured, nothing to do [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group Fallback group already set, nothing to do [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done.
Oliver Nixon via FreeIPA-users wrote:
Hi,
I'm encountering the same issue after upgrading to 4.9.12. I had previously imported users from another FreeIPA deployment and their UIDs were outside of the defined ID ranges. I've created a new ID range to encompass these and run the following but the SIDs still don't get generated: ]# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name DOMAIN-NAME --add-sids Configuring SID generation [1/8]: creating samba domain object Samba domain object already exists [2/8]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/8]: adding RID bases RID bases already set, nothing to do [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task Sidgen task plugin already configured, nothing to do [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group Fallback group already set, nothing to do [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done.
You need to look in /var/log/dirsrv/slapd-REALM/errors for the reason for failure.
rob
Hi Rob,
Thanks for your reply.
All I can find in the log is the following: [08/Feb/2024:17:31:01.478681171 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [08/Feb/2024:17:31:01.667472180 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [200] into an unused SID. [08/Feb/2024:17:31:01.689096330 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [08/Feb/2024:17:31:01.716244190 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
Oliver Nixon via FreeIPA-users wrote:
Hi Rob,
Thanks for your reply.
All I can find in the log is the following: [08/Feb/2024:17:31:01.478681171 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [08/Feb/2024:17:31:01.667472180 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [200] into an unused SID. [08/Feb/2024:17:31:01.689096330 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [08/Feb/2024:17:31:01.716244190 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. --
It means you have a user outside an IPA range (and honestly anything < 1000 should be treated as reserved IMHO). There are a LOT of other threads on this list regarding this type of issue which contains very helpful advice. I'd suggest you check the archives.
rob
Hi Rob,
Thanks for confirming.
The strange thing is there aren't any users outside of the range that I can find and there is definitely nothing with an ID of 200.
Just to chime in on this.
I'm not 100% this isn't a bug, as I've also hit the same issue after an update. In the end, I've had to re-create the effected accounts with the same UID and GID after deletion, which is resolving the issue for me as I wasn't able to find a solution using the mail-list archives.
Marc.
-----Original Message----- From: Oliver Nixon via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Monday, February 12, 2024 10:54 AM To: freeipa-users@lists.fedorahosted.org Cc: Oliver Nixon olivernixon21@gmail.com Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Hi Rob,
Thanks for confirming.
The strange thing is there aren't any users outside of the range that I can find and there is definitely nothing with an ID of 200. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, Feb 12, 2024 at 10:53:33AM -0000, Oliver Nixon via FreeIPA-users wrote:
Hi Rob,
Thanks for confirming.
The strange thing is there aren't any users outside of the range that I can find and there is definitely nothing with an ID of 200.
It may be a GID of some group.
Complete oversight by me sorry...
There was a GID of a group set to 200. After changing that and running sidgen again all the users now have SIDs
hi all,
thanks to all for this thread. this is not for the faint of heart. i had similar issue with upgrade on el88 (ipa-server-4.9.11-7.module+el8.8.0+19639+24a8b95c.x86_64 -> ipa-server-4.9.11-9.module+el8.8.0+20825+52dd1628.x86_64; yes not even a subminor version change)
my experience: 0. all rest client access broken after update, incl ipa command 1. find this thread 2. /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid broken due to missing dnarange -> but got ipa working back for admin user, this was a lifesaver. kudos to whoever implemented it that it started with the admin user. it was the only one who got the ipantsecurityidentifier 3. figure out why we need dnarange (we don't; we add all users with predefined uids), and what minimal range we can use (a range of size 1 is not enough ;) 4. config-mod enable sid gives errors in the ldap errors file (and not the sid enable log file) due to users not in an idrange 5. add idrange without baserid, config mod reveals conflict in rids 6 so run ldapmodify to fix it. rerun config-mod to discover another set of users not in the idrange 7. add another idrange, this time with baserids 8. run config-mod again, some errors that appear harmless 9. run config-mod again, clean logs
hooray for trusting version numbers to estimate potential impact of an update!
stijn
On 2/12/24 12:19, Oliver Nixon via FreeIPA-users wrote:
Complete oversight by me sorry...
There was a GID of a group set to 200. After changing that and running sidgen again all the users now have SIDs
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org
-
Marc Pearson | i-Neda Ltd -
Oliver Nixon -
Rob Crittenden -
Stijn De Weirdt -
Tomasz Torcz