I confirmed that users who had an ipaNTSecurityIdentifier attribute could log in to the web UI, and those that did not have the ipaNTSecurityIdentifier attribute could not.
I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you said: [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] into an unused SID. [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. I found some nice documentation at https://access.redhat.com/solutions/394763 I used this command to see the ranges that I have configured: ipa idrange-find And these two commands to see the UIDs of the users who had not yet been given SIDs (some were inside the existing range; I think you're correct that the process stops at the first error): ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b "cn=deleted users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# requesting: " | sed 's/uidNumber: //' | sort -n Here's some documentation on what ID and RID ranges are for: https://www.freeipa.org/page/V3/ID_Ranges After doing a bunch of math and guess and check, I ran this: ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 --range-size=531251000 --rid-base=101000000 --secondary-rid-base=633000000 That gave me an additional range (confirmed with ipa idrange-find). I ran ipa config-mod --enable-sid --add-sids again, saw no significant errors in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were 0 users left with no ipaNTSecurityIdentifier. All users are all set now. Thank you again. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue