Thanks, the kinit issue is now sorted.

These helped:

https://access.redhat.com/solutions/394763

ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=person)" ipaNTSecurityIdentifier

ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=posixgroup)" gidNumber

update one single group that has an out of range posix gid.

Then i ran this again

ipa config-mod --enable-sid --add-sids

Then i was able to kinit again.

thanks,

Nick

On Tue, 23 May 2023 at 13:39, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On Tue, 23 May 2023, Nicholas Cross wrote:
>Thanks for the pointer.
>
>I found this
>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
>
>
>Enable SID usage and trigger the SIDgen task to generate SIDs for existing
>users and groups. This task might be resource-intensive:
>[root@server ~]# ipa config-mod --enable-sid --add-sids
>
>I ran this but have not seen any SIDs in my users accounts (only admin -
>which may have been from a NT AD test connection before my time,).
>
>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
>
>
>[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep
>ipantsecurityidentifier
> ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
>
>[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep
>ipantsecurityidentifier
>
>[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F:
>'/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep
>"User login|ipantsecurityidentifier"
> ... long list with only admin with ipantsecurityidentifier specified.
>
>
>How long does the sidgen take to run?
>
>The dirsrv error log
>
>[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors
>[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an
>unused SID.
>[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file
>ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
>[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

As I said, please look at the previous discussions on this list, they
cover your situation as well. You have POSIX ID 116 which is not covered
by any ID range, hence cannot have SID associated with it.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland