Paul Nickerson via FreeIPA-users wrote: > Thank you for the assistance. I tried running the oddjob without specifying a > NetBIOS name, and it gave a return code of 1, no output, and didn't seem to > do anything. Then I saw your NetBIOS comment. > > First I checked to see if we already had a NetBIOS name configured, and I > didn't find anything (I used ldapsearch because the ipa command was still not > working): > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W '(ipaNTFlatName=*)' > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W '(objectClass=ipaNTTrustedDomain)' > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W '(objectclass=ipaNTDomainAttrs)' > > So I tried the oddjob with the NetBIOS name option, formatted as you > recommended: > /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name > SEMI --add-sids > > This still had no output, but it did do good things. I can now find the > NetBIOS name using ldapsearch. Many users and groups now have the > ipaNTSecurityIdentifier attribute: > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W '(ipaNTSecurityIdentifier=*)' > > However, some users were skipped, like mine. The admin user got the > ipaNTSecurityIdentifier attribute, so I tried running the ipa command as that > user, hoping to modify the skipped users: > > [r...@ipa01.semi.example.net ~] > # kinit admin > Password for ad...@semi.example.net: > [r...@ipa01.semi.example.net ~] > # ipa config-mod --enable-sid --add-sids > Maximum username length: 32 > Maximum hostname length: 64 > Home directory base: /home > Default shell: /bin/bash > Default users group: ipausers > Default e-mail domain: semi.example.net > Search time limit: 2 > Search size limit: 500 > User search fields: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Enable migration mode: False > Certificate Subject base: O=SEMI.EXAMPLE.NET > Password Expiration Notification (days): 4 > Password plugin features: AllowNThash, KDC:Disable Last Success > SELinux user map order: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > Default SELinux user: unconfined_u:s0-s0:c0.c1023 > Default PAC types: MS-PAC, nfs:NONE > IPA masters: ipa01.semi.example.net, ipa02.semi.example.net > IPA master capable of PKINIT: ipa01.semi.example.net, ipa02.semi.example.net > IPA CA servers: ipa01.semi.example.net, ipa02.semi.example.net > IPA CA renewal master: ipa02.semi.example.net > > The skipped users still have no ipaNTSecurityIdentifier. But at least I can > run ipa commands now. > > I've tried looking for patterns in which users were skipped. It's not all > users in the admins group. Maybe it's older users, who I think were migrated > from a previous FreeIPA version 3 cluster which crashed and burned years ago? > I'm going to keep looking for some pattern in which users did not get the > ipaNTSecurityIdentifier, but if you have any ideas, please let me know.
The users have to be inside an IPA range in order to have a SID assigned. If you look in /var/log/dirsrv/slapd-REALM/errors you should find an error message about where it failed. IIRC it stops on the first failure. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue