Thanks, the kinit issue is now sorted. These helped:
https://access.redhat.com/solutions/394763 ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=person)" ipaNTSecurityIdentifier ldapsearch -LLL -b "dc=ad,dc=companyx,dc=fm" "(objectclass=posixgroup)" gidNumber update one single group that has an out of range posix gid. Then i ran this again ipa config-mod --enable-sid --add-sids Then i was able to kinit again. thanks, Nick On Tue, 23 May 2023 at 13:39, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 23 May 2023, Nicholas Cross wrote: > >Thanks for the pointer. > > > >I found this > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts > > > > > >Enable SID usage and trigger the SIDgen task to generate SIDs for existing > >users and groups. This task might be resource-intensive: > >[root@server ~]# ipa config-mod --enable-sid --add-sids > > > >I ran this but have not seen any SIDs in my users accounts (only admin - > >which may have been from a NT AD test connection before my time,). > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts > > > > > >[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep > >ipantsecurityidentifier > > ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500 > > > >[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep > >ipantsecurityidentifier > > > >[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: > >'/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep > >"User login|ipantsecurityidentifier" > > ... long list with only admin with ipantsecurityidentifier specified. > > > > > >How long does the sidgen take to run? > > > >The dirsrv error log > > > >[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors > >[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file > >ipa_sidgen_task.c, line 194]: Sidgen task starts ... > >[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into > an > >unused SID. > >[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file > >ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > >[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file > >ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > As I said, please look at the previous discussions on this list, they > cover your situation as well. You have POSIX ID 116 which is not covered > by any ID range, hence cannot have SID associated with it. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
