Thanks for the pointer.

I found this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts 

Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive:
[root@server ~]# ipa config-mod --enable-sid --add-sids

I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,).

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts


[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep ipantsecurityidentifier
  ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
 
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep ipantsecurityidentifier

[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier"
  ... long list with only admin with ipantsecurityidentifier specified.


How long does the sidgen take to run?

The dirsrv error log

[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors
[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an unused SID.
[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

thanks,
Nick

On Tue, 23 May 2023 at 12:11, Alexander Bokovoy <abokovoy@redhat.com> wrote:
On Tue, 23 May 2023, Nicholas Cross via FreeIPA-users wrote:
>Sorry i added far too much there.
>
>here is a slightly less when i grep for my name
>
>
>
>[root@ipa011 ~]# tail -f  /var/log/krb5kdc.log | grep nicholas
>May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes
>{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7:
>NEEDED_PREAUTH: nicholas.cross@AD.companyx.FM for krbtgt/
>AD.companyx.FM@AD.companyx.FM, Additional pre-authentication required
>
>May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes
>{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7:
>HANDLE_AUTHDATA: nicholas.cross@AD.companyx.FM for krbtgt/
>AD.companyx.FM@AD.companyx.FM, No such file or directory
>
>
>I'm guessing it's this?
>
>nicholas.cross@AD.companyx.FM for krbtgt/AD.companyx.FM@AD.companyx.FM, No
>such file or directory

Yes, this is most likely a missing SID in your account.

We have been talking about these issues over the past week or so on this
list, please look at those discussions for recommendations.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland