Thanks, this is my case:
"Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
for some users and groups because their UIDs/GIDs might be out of the ID
range associated with IPA deployment. This is a common issue for users
migrated from a different LDAP server with 'ipa migrate-ds' because
those accounts most likely have UIDs/GIDs from completely different
range.
Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
range should be created to cover their UIDs/GIDs range. The latter
requires understanding how ID ranges are organized. I'd recommend you to
read 'ipa help idrange' carefully."
On 18.12.2020 17:31, Alexander Bokovoy wrote:
> As I answered already in the FreeIPA ticket you created, the issue is
> within the content of your migrated user's entry.
>
> In order to allow creating ipaNTHash attribute:
> - IPA configuration should allow storing NT hashes
> - LDAP entry should already have objectclass ipaNTUserAttrs or
> samSambaAccount
> - user have to change the password
>
> As IPA users already have ipaNTHash, the first two conditions are
> satisfied (globally and for the specific user object). IPA users are
> required to change their password before use, so third condition is
> satisfied as well.
>
> For migrated users, the most likely situation is that they have no
> ipaNTUserAttrs objectclass. You cannot easily add yourself because
> ipaNTUserAttrs object class requires ipaNTSecurityIdentifier attribute
> which value (SID) is autogenerated and tightly connected to the ID
> ranges associated with the IPA deployment.
>
> In order to add SIDs to users/groups that don't have them requires use
> of 'ipa-adtrust-install --add-sids' on IPA server that has Trust
> Controller role.
>
> Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
> for some users and groups because their UIDs/GIDs might be out of the ID
> range associated with IPA deployment. This is a common issue for users
> migrated from a different LDAP server with 'ipa migrate-ds' because
> those accounts most likely have UIDs/GIDs from completely different
> range.
>
> Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
> range should be created to cover their UIDs/GIDs range. The latter
> requires understanding how ID ranges are organized. I'd recommend you to
> read 'ipa help idrange' carefully.