Sorry i added far too much there.
here is a slightly less when i grep for my name
[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: NEEDED_PREAUTH: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, Additional pre-authentication required
May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: HANDLE_AUTHDATA: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, No such file or directory
I'm guessing it's this?
nicholas.cross@AD.companyx.FM for krbtgt/AD.companyx.FM@AD.companyx.FM, No such file or directory
On Tue, 23 May 2023, Nicholas Cross via FreeIPA-users wrote:
Sorry i added far too much there.
here is a slightly less when i grep for my name
[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: NEEDED_PREAUTH: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, Additional pre-authentication required
May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: HANDLE_AUTHDATA: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, No such file or directory
I'm guessing it's this?
nicholas.cross@AD.companyx.FM for krbtgt/AD.companyx.FM@AD.companyx.FM, No such file or directory
Yes, this is most likely a missing SID in your account.
We have been talking about these issues over the past week or so on this list, please look at those discussions for recommendations.
Thanks for the pointer.
I found this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: [root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,).
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep ipantsecurityidentifier
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier" ... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors [23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an unused SID. [23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
thanks, Nick
On Tue, 23 May 2023 at 12:11, Alexander Bokovoy abokovoy@redhat.com wrote:
On Tue, 23 May 2023, Nicholas Cross via FreeIPA-users wrote:
Sorry i added far too much there.
here is a slightly less when i grep for my name
[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4
etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7
:
NEEDED_PREAUTH: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, Additional pre-authentication required
May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4
etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7
:
HANDLE_AUTHDATA: nicholas.cross@AD.companyx.FM for krbtgt/ AD.companyx.FM@AD.companyx.FM, No such file or directory
I'm guessing it's this?
nicholas.cross@AD.companyx.FM for krbtgt/AD.companyx.FM@AD.companyx.FM,
No
such file or directory
Yes, this is most likely a missing SID in your account.
We have been talking about these issues over the past week or so on this list, please look at those discussions for recommendations.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On Tue, 23 May 2023, Nicholas Cross wrote:
Thanks for the pointer.
I found this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: [root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,).
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep ipantsecurityidentifier
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier" ... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors [23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an unused SID. [23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
As I said, please look at the previous discussions on this list, they cover your situation as well. You have POSIX ID 116 which is not covered by any ID range, hence cannot have SID associated with it.
Thanks, the kinit issue is now sorted.
These helped:
https://access.redhat.com/solutions/394763 ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=person)" ipaNTSecurityIdentifier ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=posixgroup)" gidNumber update one single group that has an out of range posix gid.
Then i ran this again ipa config-mod --enable-sid --add-sids
Then i was able to kinit again.
thanks,
Nick
On Tue, 23 May 2023 at 13:39, Alexander Bokovoy abokovoy@redhat.com wrote:
On Tue, 23 May 2023, Nicholas Cross wrote:
Thanks for the pointer.
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: [root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,).
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep ipantsecurityidentifier
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier" ... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors [23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into
an
unused SID. [23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
As I said, please look at the previous discussions on this list, they cover your situation as well. You have POSIX ID 116 which is not covered by any ID range, hence cannot have SID associated with it.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Nicholas Cross