Thanks for the pointer. I found this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: [root@server ~]# ipa config-mod --enable-sid --add-sids I ran this but have not seen any SIDs in my users accounts (only admin - which may have been from a NT AD test connection before my time,). https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts [nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500 [nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep ipantsecurityidentifier [nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F: '/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep "User login|ipantsecurityidentifier" ... long list with only admin with ipantsecurityidentifier specified. How long does the sidgen take to run? The dirsrv error log [root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors [23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an unused SID. [23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. thanks, Nick On Tue, 23 May 2023 at 12:11, Alexander Bokovoy <[email protected]> wrote: > On Tue, 23 May 2023, Nicholas Cross via FreeIPA-users wrote: > >Sorry i added far too much there. > > > >here is a slightly less when i grep for my name > > > > > > > >[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas > >May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 > etypes > >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > >aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7 > : > >NEEDED_PREAUTH: [email protected] for krbtgt/ > >[email protected], Additional pre-authentication required > > > >May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 > etypes > >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > >aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7 > : > >HANDLE_AUTHDATA: [email protected] for krbtgt/ > >[email protected], No such file or directory > > > > > >I'm guessing it's this? > > > >[email protected] for krbtgt/[email protected], > No > >such file or directory > > Yes, this is most likely a missing SID in your account. > > We have been talking about these issues over the past week or so on this > list, please look at those discussions for recommendations. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
