Thank you for the assistance. I tried running the oddjob without specifying a NetBIOS name, and it gave a return code of 1, no output, and didn't seem to do anything. Then I saw your NetBIOS comment.
First I checked to see if we already had a NetBIOS name configured, and I didn't find anything (I used ldapsearch because the ipa command was still not working): ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W '(ipaNTFlatName=*)' ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W '(objectClass=ipaNTTrustedDomain)' ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W '(objectclass=ipaNTDomainAttrs)' So I tried the oddjob with the NetBIOS name option, formatted as you recommended: /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name SEMI --add-sids This still had no output, but it did do good things. I can now find the NetBIOS name using ldapsearch. Many users and groups now have the ipaNTSecurityIdentifier attribute: ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W '(ipaNTSecurityIdentifier=*)' However, some users were skipped, like mine. The admin user got the ipaNTSecurityIdentifier attribute, so I tried running the ipa command as that user, hoping to modify the skipped users: [r...@ipa01.semi.example.net ~] # kinit admin Password for ad...@semi.example.net: [r...@ipa01.semi.example.net ~] # ipa config-mod --enable-sid --add-sids Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: semi.example.net Search time limit: 2 Search size limit: 500 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: False Certificate Subject base: O=SEMI.EXAMPLE.NET Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipa01.semi.example.net, ipa02.semi.example.net IPA master capable of PKINIT: ipa01.semi.example.net, ipa02.semi.example.net IPA CA servers: ipa01.semi.example.net, ipa02.semi.example.net IPA CA renewal master: ipa02.semi.example.net The skipped users still have no ipaNTSecurityIdentifier. But at least I can run ipa commands now. I've tried looking for patterns in which users were skipped. It's not all users in the admins group. Maybe it's older users, who I think were migrated from a previous FreeIPA version 3 cluster which crashed and burned years ago? I'm going to keep looking for some pattern in which users did not get the ipaNTSecurityIdentifier, but if you have any ideas, please let me know. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue