[Freeipa-users] Re: Users without an ipaNTSecurityIdentifier cannot authenticate on the new replica server

[Rob Crittenden via FreeIPA-users]

Tien Cao Huy via FreeIPA-users wrote:
> Dear,
> 
> Thanks, I've seen that freeipa-server-master.domain.com is set.
> 
> ipa-replica-manage dnarange-show
> freeipa-repl01.domain.com: 748451708-748458499
> freeipa-repl02.domain.com: 748476502-748488999
> freeipa-server-master.domain.com: 748458501-748464499
> 
> [root@freeipa-server-master /]# ipa idrange-find --all --raw
> ----------------
> 2 ranges matched
> ----------------
>   dn: cn=DOMAIN.COM_id_range,cn=ranges,cn=etc,dc=domain,dc=com
>   cn: DOMAIN.COM_id_range
>   ipabaseid: 748400000
>   ipaidrangesize: 200000
>   ipabaserid: 1000
>   ipasecondarybaserid: 100000000
>   iparangetype: ipa-local
>   objectclass: top
>   objectclass: ipaIDrange
>   objectclass: ipaDomainIDRange
> 
>   dn: cn=DOMAIN.COM_subid_range,cn=ranges,cn=etc,dc=domain,dc=com
>   cn: DOMAIN.COM_subid_range
>   ipabaseid: 2147483648
>   ipaidrangesize: 2147352576
>   ipabaserid: 2147283648
>   ipanttrusteddomainsid: S-1-5-21-738065-838566-263965391
>   iparangetype: ipa-ad-trust
>   objectclass: top
>   objectclass: ipaIDrange
>   objectclass: ipaTrustedADDomainRange
> ----------------------------
> Number of entries returned 2
> ----------------------------
> So, when I've executed command ipa config-mod --enable-sid --add-sids on the 
> server freeipa-server-master it show:
>   Maximum username length: 32
>   Maximum hostname length: 64
>   Home directory base: /home
>   Default shell: /bin/bash
>   Default users group: ipausers
>   Default e-mail domain: domain.com.vn
>   Search time limit: 2
>   Search size limit: 10000
>   User search fields: uid,givenname,sn,mail,fasIRCNick
>   Group search fields: cn,description
>   Enable migration mode: False
>   Certificate Subject base: O=DOMAIN.COM
>   Password Expiration Notification (days): 4
>   Password plugin features: AllowNThash
>   SELinux user map order: 
> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
>   Default SELinux user: unconfined_u:s0-s0:c0.c1023
>   Default PAC types: MS-PAC, nfs:NONE
>   Default user authentication types: password
>   IPA masters: freeipa-repl01.domain.com, freeipa-repl02.domain.com, 
> freeipa-server-master.domain.com
>   IPA master capable of PKINIT: freeipa-repl01.domain.com, 
> freeipa-repl02.domain.com, freeipa-server-master.domain.com
>   IPA CA servers: freeipa-repl01.domain.com, freeipa-repl02.domain.com, 
> freeipa-server-master.domain.com
>   IPA CA renewal master: freeipa-repl02.domain.com 
> But all users without an ipaNTSecurityIdentifier are not generated and unable 
> to log in to the WebUI on the freeipa-server-master (the new replica server)
> 

I believe you want to look in /var/log/dirsrv/slapd-REALM/errors for any
failures related to sid generation.

rob

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue