On Tue, 23 May 2023, Nicholas Cross wrote:
Thanks for the pointer.
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
Enable SID usage and trigger the SIDgen task to generate SIDs for existing
users and groups. This task might be resource-intensive:
[root@server ~]# ipa config-mod --enable-sid --add-sids
I ran this but have not seen any SIDs in my users accounts (only admin -
which may have been from a NT AD test connection before my time,).
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
[nicholas.cross@ipa008 ~]$ ipa user-show admin --all | grep
ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-2921078666-3132408961-2510132066-500
[nicholas.cross@ipa008 ~]$ ipa user-show nicholas.cross --all | grep
ipantsecurityidentifier
[nicholas.cross@ipa008 ~]$ ipa user-find --all --disabled=False | awk -F:
'/User login/{print $2}' | xargs -IUUU ipa user-show UUU --all | egrep
"User login|ipantsecurityidentifier"
... long list with only admin with ipantsecurityidentifier specified.
How long does the sidgen take to run?
The dirsrv error log
[root@ipa008 slapd-AD-xxxxx-FM]# grep sidgen errors
[23/May/2023:11:57:06.008222790 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[23/May/2023:11:57:06.088656904 +0000] - ERR - find_sid_for_ldap_entry -
[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [116] into an
unused SID.
[23/May/2023:11:57:06.090924999 +0000] - ERR - do_work - [file
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[23/May/2023:11:57:06.095245986 +0000] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
As I said, please look at the previous discussions on this list, they
cover your situation as well. You have POSIX ID 116 which is not covered
by any ID range, hence cannot have SID associated with it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
