On Аўт, 23 сту 2024, Dungan, Scott A. via FreeIPA-users wrote:
I found the answer in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5BUG3EVCRQKNF6BC74LA2CL3H2I2EV3P/
Following that, we used ldapmodify to apply the correct values for the
rid-base and secondary-rid-base in the new range. Afterwards, running
ipa config-mod --enable-sid --add-sids
completed, and all users have been assigned sids, although the logs
show a few errors about sids already being used:
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]:
[23/Jan/2024:10:10:47.671583872 -0800] - ERR - rid_to_sid_with_check - [file
ipa_sidgen_common.c, line 384]: SID
[S-1-5-21-437482216-426791213-2761072236-101000116] is already used.
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]:
[23/Jan/2024:10:10:47.672837572 -0800] - ERR - rid_to_sid_with_check - [file
ipa_sidgen_common.c, line 384]: SID
[S-1-5-21-437482216-426791213-2761072236-101000115] is already used.
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]:
[23/Jan/2024:10:10:47.683585571 -0800] - ERR - rid_to_sid_with_check - [file
ipa_sidgen_common.c, line 384]: SID
[S-1-5-21-437482216-426791213-2761072236-101029028] is already used.
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]:
[23/Jan/2024:10:10:47.703869107 -0800] - ERR - rid_to_sid_with_check - [file
ipa_sidgen_common.c, line 384]: SID
[S-1-5-21-437482216-426791213-2761072236-101029021] is already used.
Jan 23 10:10:47 idm1.example.com ns-slapd[52294]:
[23/Jan/2024:10:10:47.743343711 -0800] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [0]
Not sure if we should be concerned about that or not.
Since it doesn't say 'Secondary SID is used as well.', this means a
first choice for that SID was not successful and sidgen plugin switched
to a RID from the secondary RID base. It should be fine in the end -- a
user/group got a unique SID assigned.
-Scott
From: Dungan, Scott A. via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Sent: Tuesday, January 23, 2024 8:05 AM
To: Florence Blanc-Renaud <f...@redhat.com>; FreeIPA users list
<freeipa-users@lists.fedorahosted.org>
Cc: Dungan, Scott A. <sdun...@caltech.edu>
Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web
UI login and ipa command to stop working
Thanks, Flo.
I believe we now know what the correct values should be for the rid-base and
secondary-rid-base, however, we can’t seem to modify the ID range with the
missing values we created to cover the legacy NIS users:
$ ipa idrange-mod ID.EXAMPLE.COM_legacy_range
ipa: ERROR: This command can not be used to change ID allocation for local IPA
domain. Run `ipa help idrange` for more information
Nor can we simply delete the range and try again:
ipa idrange-del ID.EXAMPLE.COM_legacy_range
ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving
objects with ID out of the defined range is not allowed
It seems that we are in a chicken or the egg bind here. Below is the output of
iprange-find for reference.
----------------
3 ranges matched
----------------
Range name: ID.EXAMPLE.COM _id_range
First Posix ID of the range: 866800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: ID.EXAMPLE.COM _legacy_range
First Posix ID of the range: 1000
Number of IDs in the range: 98899
Range type: local domain range
Range name: ID.EXAMPLE.COM _subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-538032-778436-45698521293
Range type: Active Directory domain range
----------------------------
Number of entries returned 3
----------------------------
From: Florence Blanc-Renaud <f...@redhat.com<mailto:f...@redhat.com>>
Sent: Monday, January 22, 2024 11:50 PM
To: FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Dungan, Scott A. <sdun...@caltech.edu<mailto:sdun...@caltech.edu>>
Subject: Re: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused
web UI login and ipa command to stop working
Hi,
On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Thanks to Paul for all the leg work on this issue. Based on that, I can confirm
that we have the same problem after updating to 4.9.12-11 from 4.9.11-7.
Running the oddjob command to add SIDs to the user accounts fails after
encountering UIDs outside of the default IPA range. It was able to get the
admin account working though. We have 294 users with UIDs in the range of 1001
to 99657. These were migrated from an ancient NIS domain when the IPA domain
was provisioned. We tried adding a secondary IPA range that covers that scope:
ipa idrange-add ID.EXAMPLE.COM_legacy_range --base-id=1000 --range-size=98899
And then running the oddjob command again, but we get the sidgen errors still,
plus a error about overlapping rid ranges:
[22/Jan/2024:15:09:50.398460268 -0800] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[22/Jan/2024:15:09:50.499604871 -0800] - ERR - find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [29034] into an unused
SID.
[22/Jan/2024:15:09:50.499960197 -0800] - ERR - do_work - [file
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[22/Jan/2024:15:09:50.503257753 -0800] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
[22/Jan/2024:15:09:55.035779436 -0800] - ERR - schema-compat-plugin - warning:
no entries set up under cn=computers, cn=compat,dc=id,dc=example,dc=com
[22/Jan/2024:15:09:55.036238563 -0800] - ERR - schema-compat-plugin - Finished
plugin initialization.
[22/Jan/2024:15:47:04.969286883 -0800] - ERR - ipa_range_check_pre_op - [file
ipa_range_check.c, line 670]: New primary rid range overlaps with existing
primary rid range.
I suspect that we may not have added the range correctly. We didn't pass the
--rid-base= or --secondary-rid-base= flags/values as we were not sure what
these values should be.
These values are important in order to generate the SIDs. Please read The role of security
and relative identifiers in IdM ID
ranges<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#con_the-role-of-security-and-relative-identifiers-in-idm-id-ranges_adjusting-id-ranges-manually>
and Security
Identifiers<https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html#security-identifiers>
to understand how they are used. You need to pick values that do not conflict with the
ones for your initial range.
flo
Any help would be much appreciated.
Scott
-----Original Message-----
From: Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Sent: Thursday, January 18, 2024 11:25 AM
To: FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Paul Nickerson <pgn...@gmail.com<mailto:pgn...@gmail.com>>; Rob Crittenden
<rcrit...@redhat.com<mailto:rcrit...@redhat.com>>
Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web
UI login and ipa command to stop working
Paul Nickerson via FreeIPA-users wrote:
I confirmed that users who had an ipaNTSecurityIdentifier attribute could log
in to the web UI, and those that did not have the ipaNTSecurityIdentifier
attribute could not.
I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you
said:
[17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] into an
unused SID.
[17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
I found some nice documentation at
https://access.redhat.com/solutions/394763
I used this command to see the ranges that I have configured:
ipa idrange-find
And these two commands to see the UIDs of the users who had not yet been given
SIDs (some were inside the existing range; I think you're correct that the
process stops at the first error):
ldapsearch -H ldap://ipa01.semi.example.net:389/<http://ipa01.semi.example.net:389/>
-x -D "cn=Directory
Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net"
"(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v
"# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H
ldap://ipa01.semi.example.net:389/<http://ipa01.semi.example.net:389/> -x -D
"cn=Directory Manager" -W -b
"cn=deleted
users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net"
"(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v
"# requesting: " | sed 's/uidNumber: //' | sort -n
Here's some documentation on what ID and RID ranges are for:
https://www.freeipa.org/page/V3/ID_Ranges
After doing a bunch of math and guess and check, I ran this:
ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000
--range-size=531251000 --rid-base=101000000
--secondary-rid-base=633000000
That gave me an additional range (confirmed with ipa idrange-find). I
ran ipa config-mod --enable-sid --add-sids again, saw no significant
errors in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and
confirmed that there were 0 users left with no
ipaNTSecurityIdentifier.
All users are all set now. Thank you again.
Glad to hear it and thank you for your detailed analysis. I think this
will be useful to other users that may run into this.
rob
--
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue