Paul Nickerson via FreeIPA-users wrote:
I confirmed that users who had an ipaNTSecurityIdentifier attribute could log in to the web UI, and those that did not have the ipaNTSecurityIdentifier attribute could not.
I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you said: [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] into an unused SID. [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
I found some nice documentation at https://access.redhat.com/solutions/394763
I used this command to see the ranges that I have configured: ipa idrange-find
And these two commands to see the UIDs of the users who had not yet been given SIDs (some were inside the existing range; I think you're correct that the process stops at the first error): ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=deleted users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n
Here's some documentation on what ID and RID ranges are for: https://www.freeipa.org/page/V3/ID_Ranges
After doing a bunch of math and guess and check, I ran this: ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 --range-size=531251000 --rid-base=101000000 --secondary-rid-base=633000000
That gave me an additional range (confirmed with ipa idrange-find). I ran ipa config-mod --enable-sid --add-sids again, saw no significant errors in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were 0 users left with no ipaNTSecurityIdentifier.
All users are all set now. Thank you again.
Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this.
rob