On Аўт, 23 сту 2024, Dungan, Scott A. via FreeIPA-users wrote:
I found the answer in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Following that, we used ldapmodify to apply the correct values for the rid-base and secondary-rid-base in the new range. Afterwards, running
ipa config-mod --enable-sid --add-sids
completed, and all users have been assigned sids, although the logs show a few errors about sids already being used:
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]: [23/Jan/2024:10:10:47.671583872 -0800] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-437482216-426791213-2761072236-101000116] is already used. Jan 23 10:10:47 idm1.example.com ns-slapd[52294]: [23/Jan/2024:10:10:47.672837572 -0800] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-437482216-426791213-2761072236-101000115] is already used. Jan 23 10:10:47 idm1.example.com ns-slapd[52294]: [23/Jan/2024:10:10:47.683585571 -0800] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-437482216-426791213-2761072236-101029028] is already used. Jan 23 10:10:47 idm1.example.com ns-slapd[52294]: [23/Jan/2024:10:10:47.703869107 -0800] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-437482216-426791213-2761072236-101029021] is already used. Jan 23 10:10:47 idm1.example.com ns-slapd[52294]: [23/Jan/2024:10:10:47.743343711 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [0]
Not sure if we should be concerned about that or not.
Since it doesn't say 'Secondary SID is used as well.', this means a first choice for that SID was not successful and sidgen plugin switched to a RID from the secondary RID base. It should be fine in the end -- a user/group got a unique SID assigned.
-Scott
From: Dungan, Scott A. via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Tuesday, January 23, 2024 8:05 AM To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Dungan, Scott A. sdungan@caltech.edu Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Thanks, Flo.
I believe we now know what the correct values should be for the rid-base and secondary-rid-base, however, we can’t seem to modify the ID range with the missing values we created to cover the legacy NIS users:
$ ipa idrange-mod ID.EXAMPLE.COM_legacy_range ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information
Nor can we simply delete the range and try again:
ipa idrange-del ID.EXAMPLE.COM_legacy_range ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
It seems that we are in a chicken or the egg bind here. Below is the output of iprange-find for reference.
3 ranges matched
Range name: ID.EXAMPLE.COM _id_range First Posix ID of the range: 866800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: ID.EXAMPLE.COM _legacy_range First Posix ID of the range: 1000 Number of IDs in the range: 98899 Range type: local domain range
Range name: ID.EXAMPLE.COM _subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-538032-778436-45698521293 Range type: Active Directory domain range
Number of entries returned 3
From: Florence Blanc-Renaud <flo@redhat.commailto:flo@redhat.com> Sent: Monday, January 22, 2024 11:50 PM To: FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Dungan, Scott A. <sdungan@caltech.edumailto:sdungan@caltech.edu> Subject: Re: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Hi,
On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: Thanks to Paul for all the leg work on this issue. Based on that, I can confirm that we have the same problem after updating to 4.9.12-11 from 4.9.11-7. Running the oddjob command to add SIDs to the user accounts fails after encountering UIDs outside of the default IPA range. It was able to get the admin account working though. We have 294 users with UIDs in the range of 1001 to 99657. These were migrated from an ancient NIS domain when the IPA domain was provisioned. We tried adding a secondary IPA range that covers that scope:
ipa idrange-add ID.EXAMPLE.COM_legacy_range --base-id=1000 --range-size=98899
And then running the oddjob command again, but we get the sidgen errors still, plus a error about overlapping rid ranges:
[22/Jan/2024:15:09:50.398460268 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [22/Jan/2024:15:09:50.499604871 -0800] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [29034] into an unused SID. [22/Jan/2024:15:09:50.499960197 -0800] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [22/Jan/2024:15:09:50.503257753 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. [22/Jan/2024:15:09:55.035779436 -0800] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=id,dc=example,dc=com [22/Jan/2024:15:09:55.036238563 -0800] - ERR - schema-compat-plugin - Finished plugin initialization. [22/Jan/2024:15:47:04.969286883 -0800] - ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range overlaps with existing primary rid range.
I suspect that we may not have added the range correctly. We didn't pass the --rid-base= or --secondary-rid-base= flags/values as we were not sure what these values should be.
These values are important in order to generate the SIDs. Please read The role of security and relative identifiers in IdM ID rangeshttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#con_the-role-of-security-and-relative-identifiers-in-idm-id-ranges_adjusting-id-ranges-manually and Security Identifiershttps://freeipa.readthedocs.io/en/latest/designs/id-mapping.html#security-identifiers to understand how they are used. You need to pick values that do not conflict with the ones for your initial range.
flo
Any help would be much appreciated.
Scott
-----Original Message----- From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Sent: Thursday, January 18, 2024 11:25 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Paul Nickerson <pgn674@gmail.commailto:pgn674@gmail.com>; Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Paul Nickerson via FreeIPA-users wrote:
I confirmed that users who had an ipaNTSecurityIdentifier attribute could log in to the web UI, and those that did not have the ipaNTSecurityIdentifier attribute could not.
I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you said: [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] into an unused SID. [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
I found some nice documentation at https://access.redhat.com/solutions/394763
I used this command to see the ranges that I have configured: ipa idrange-find
And these two commands to see the UIDs of the users who had not yet been given SIDs (some were inside the existing range; I think you're correct that the process stops at the first error): ldapsearch -H ldap://ipa01.semi.example.net:389/http://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H ldap://ipa01.semi.example.net:389/http://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=deleted users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n
Here's some documentation on what ID and RID ranges are for: https://www.freeipa.org/page/V3/ID_Ranges
After doing a bunch of math and guess and check, I ran this: ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 --range-size=531251000 --rid-base=101000000 --secondary-rid-base=633000000
That gave me an additional range (confirmed with ipa idrange-find). I ran ipa config-mod --enable-sid --add-sids again, saw no significant errors in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were 0 users left with no ipaNTSecurityIdentifier.
All users are all set now. Thank you again.
Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org