On pe, 18 joulu 2020, Kiselev Mikhail via FreeIPA-users wrote:
Thanks, this is my case:
"Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
for some users and groups because their UIDs/GIDs might be out of the ID
range associated with IPA deployment. This is a common issue for users
migrated from a different LDAP server with 'ipa migrate-ds' because
those accounts most likely have UIDs/GIDs from completely different
range.
Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
range should be created to cover their UIDs/GIDs range. The latter
requires understanding how ID ranges are organized. I'd recommend you to
read 'ipa help idrange' carefully."
Yep. See
https://www.redhat.com/archives/freeipa-users/2017-February/msg00114.html
On 18.12.2020 17:31, Alexander Bokovoy wrote:
As I answered already in the FreeIPA ticket you created, the issue is
within the content of your migrated user's entry.
In order to allow creating ipaNTHash attribute:
 - IPA configuration should allow storing NT hashes
 - LDAP entry should already have objectclass ipaNTUserAttrs or
samSambaAccount
 - user have to change the password
As IPA users already have ipaNTHash, the first two conditions are
satisfied (globally and for the specific user object). IPA users are
required to change their password before use, so third condition is
satisfied as well.
For migrated users, the most likely situation is that they have no
ipaNTUserAttrs objectclass. You cannot easily add yourself because
ipaNTUserAttrs object class requires ipaNTSecurityIdentifier attribute
which value (SID) is autogenerated and tightly connected to the ID
ranges associated with the IPA deployment.
In order to add SIDs to users/groups that don't have them requires use
of 'ipa-adtrust-install --add-sids' on IPA server that has Trust
Controller role.
Running 'ipa-adtrust-install --add-sids' might still not produce SIDs
for some users and groups because their UIDs/GIDs might be out of the ID
range associated with IPA deployment. This is a common issue for users
migrated from a different LDAP server with 'ipa migrate-ds' because
those accounts most likely have UIDs/GIDs from completely different
range.
Either they need UIDs/GIDs to be allocated from IPA ID range or a new ID
range should be created to cover their UIDs/GIDs range. The latter
requires understanding how ID ranges are organized. I'd recommend you to
read 'ipa help idrange' carefully.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
