Thanks for the pointer.
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
Enable SID usage and trigger the SIDgen task to generate SIDs for existing
users and groups. This task might be resource-intensive:
[root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin -
which may have been from a NT AD test connection before my time,).
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep
ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep
ipantsecurityidentifier
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F:
'/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep
"User login|ipantsecurityidentifier"
... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors
[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an
unused SID.
[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
thanks,
Nick
On Tue, 23 May 2023 at 12:11, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
On Tue, 23 May 2023, Nicholas Cross via FreeIPA-users wrote:
>Sorry i added far too much there.
>
>here is a slightly less when i grep for my name
>
>
>
>[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas
>May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4
etypes
>{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7
:
>NEEDED_PREAUTH: nicholas.cross(a)AD.companyx.FM for krbtgt/
>AD.companyx.FM(a)AD.companyx.FM, Additional pre-authentication required
>
>May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4
etypes
>{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7
:
>HANDLE_AUTHDATA: nicholas.cross(a)AD.companyx.FM for krbtgt/
>AD.companyx.FM(a)AD.companyx.FM, No such file or directory
>
>
>I'm guessing it's this?
>
>nicholas.cross(a)AD.companyx.FM for krbtgt/AD.companyx.FM(a)AD.companyx.FM,
No
>such file or directory
Yes, this is most likely a missing SID in your account.
We have been talking about these issues over the past week or so on this
list, please look at those discussions for recommendations.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland