Thanks for the pointer.
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive:
[root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,).
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier"
... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors
[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an unused SID.
[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
thanks,
Nick