[Freeipa-users] Missing mandatory attribute ipaNTSecurityIdentifier.

Last week I was having SSSD issues and Sumit was sharp enough to pick out that I didn't allow enough RIDs. ( https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... ) I increase the range by 5,000,000 via the GUI, restarted all two SSSD services (test ipa server, test client) after clearing their caches and it started to work. For reasons, the IPA test server was power cycled and when it came back up, IPA wont start. `ipactl start` aborts because "Failed to start smb Service" I am seeing the following in the samba logs: [2021/02/23 14:57:23.259648, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.12.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2020 [2021/02/23 14:57:23.312207, 1] ../../source3/profile/profile.c:55(set_profile_level) INFO: Profiling turned OFF from pid 2360 [2021/02/23 14:57:23.345139, 0] ipa_sam.c:3980(get_fallback_group_sid) Missing mandatory attribute ipaNTSecurityIdentifier. [2021/02/23 14:57:23.345184, 0] ipa_sam.c:4950(pdb_init_ipasam) Cannot find SID of fallback group. [2021/02/23 14:57:23.345194, 0] ../../source3/passdb/pdb_interface.c:180(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-TEST-IDM-COMPANY-COM.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) [2021/02/23 15:05:11.201577, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.12.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2020 [2021/02/23 15:05:11.212856, 1] ../../source3/profile/profile.c:55(set_profile_level) INFO: Profiling turned OFF from pid 3146 [2021/02/23 15:05:11.234448, 0] ipa_sam.c:3980(get_fallback_group_sid) Missing mandatory attribute ipaNTSecurityIdentifier. A quick search suggests that potentially my change of the RID has affected SMB but I'm not 100% sure what to do next. I guess I need to add an ipaNTSecurityIdentifier variable - but I'm not sure where. This page https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-i... suggests that I need to add a sidgen to the FreeIPA users that exist, but those users were created via the GUI - shouldn't the SID have been created then? And if they didn't, how come I've been able to reboot successfully relatively frequently without this issue happening before - is it because I changed the value of that one domain's ID range? Cheers L.