On pe, 18 joulu 2020, Kiselev Mikhail via FreeIPA-users wrote:
Thanks, this is my case:
"Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
for some users and groups because their UIDs/GIDs might be out of the ID
range associated with IPA deployment. This is a common issue for users
migrated from a different LDAP server with 'ipa migrate-ds' because
those accounts most likely have UIDs/GIDs from completely different
range.
Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
range should be created to cover their UIDs/GIDs range. The latter
requires understanding how ID ranges are organized. I'd recommend you to
read 'ipa help idrange' carefully."
Yep. See
https://www.redhat.com/archives/freeipa-users/2017-February/msg00114.html
On 18.12.2020 17:31, Alexander Bokovoy wrote:
>As I answered already in the FreeIPA ticket you created, the issue is
>within the content of your migrated user's entry.
>
>In order to allow creating ipaNTHash attribute:
>Â - IPA configuration should allow storing NT hashes
>Â - LDAP entry should already have objectclass ipaNTUserAttrs or
>samSambaAccount
>Â - user have to change the password
>
>As IPA users already have ipaNTHash, the first two conditions are
>satisfied (globally and for the specific user object). IPA users are
>required to change their password before use, so third condition is
>satisfied as well.
>
>For migrated users, the most likely situation is that they have no
>ipaNTUserAttrs objectclass. You cannot easily add yourself because
>ipaNTUserAttrs object class requires ipaNTSecurityIdentifier attribute
>which value (SID) is autogenerated and tightly connected to the ID
>ranges associated with the IPA deployment.
>
>In order to add SIDs to users/groups that don't have them requires use
>of 'ipa-adtrust-install --add-sids' on IPA server that has Trust
>Controller role.
>
>Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
>for some users and groups because their UIDs/GIDs might be out of the ID
>range associated with IPA deployment. This is a common issue for users
>migrated from a different LDAP server with 'ipa migrate-ds' because
>those accounts most likely have UIDs/GIDs from completely different
>range.
>
>Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
>range should be created to cover their UIDs/GIDs range. The latter
>requires understanding how ID ranges are organized. I'd recommend you to
>read 'ipa help idrange' carefully.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland