7:19 a.m.
On Пан, 29 сту 2024, Melissa Ferreira da Silva Boiko via FreeIPA-users wrote:
Hi,
I'm trying to upgrade an ancient master replica (the CA master) running
FreeIPA 4.5 on CentOS 7.4. Upgrading the freeipa packages in-place (in
a cloned VM) caused numerous problems so I'm trying to create a new
master replica on a fresh Fedora 39, using the "Migrating to different
platform or OS" procedure described on
https://www.freeipa.org/page/Howto/Migration
At first sight the new replica appears to work, but user creation
fails, both on the web and command-line, with:
ipa user-add --first=Testy --last=McTestface teste123
ipa: ERROR: missing attribute "sambaSID" required by object class
"sambaSamAccount"
Web searches seem to suggest this is due to a missing DNA plugin that
should autogenerate the sambaSIDs, but I failed to find a guide on how
to enable that plugin with current IPA (4.11). Should it be enabled
automatically?
Unless it's used for something internal to IPA I don't think we
actually are even using AD integration or SMB shares, so removing Samba
support altogether would also be an option, but I don't know what's the
safe way of doing that to the schema either.
Looks like your old deployment had been using custom object classes and
attributes. FreeIPA does not use sambaSID and sambaSamAccount at all.
These attributes and object classes are part of IPA setup but they
aren't used.
FreeIPA uses different set of attributes/object classes for storing
SID-related information for more than a decade. That information is now
mandatory to prevent a number of impersonation attacks that could be
possible in a Kerberized environment without MS-PAC structures in
Kerberos tickets.
Since 'sambaSID' is not used by IPA, it is probably something that your
deployment has been using to add by default. Can you show output of
$ ipa config-show --all --raw
?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland