GoNiS wrote: > Thanks Rob! > > When I look into the error log I see:
The message you're looking for is: find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [10000] into an unused SID. You have a user with no range so a SID can't be enabled. There are other examples in this thread of creating a new range to cover it. rob > > ... > > [13/Jun/2023:18:30:53.058701401 +0200] - ERR - schema-compat-plugin - > scheduled schema-compat-plugin tree scan in about 5 seconds after the > server startup! > [13/Jun/2023:18:30:53.078910058 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.081500273 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.084253592 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=keys,cn=sec,cn=dns,dc=hep,dc=uniovi,dc=es does not > exist > [13/Jun/2023:18:30:53.086865691 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.089468791 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=dns,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.092068944 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=groups,cn=compat,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.094507326 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=computers,cn=compat,dc=hep,dc=uniovi,dc=es does not > exist > [13/Jun/2023:18:30:53.096914953 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=ng,cn=compat,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.099463420 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target ou=sudoers,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.102039228 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=users,cn=compat,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.104762312 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.107239054 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.109782955 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.112299485 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.115404234 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.117701343 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.119978509 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.122198973 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.124391291 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.126577163 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.129501045 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=hep,dc=uniovi,dc=es does not exist > [13/Jun/2023:18:30:53.156125691 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hep,dc=uniovi,dc=es does not > exist > [13/Jun/2023:18:30:53.158550399 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=hep,dc=uniovi,dc=es does not > exist > [13/Jun/2023:18:30:53.281641571 +0200] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=automember rebuild membership,cn=tasks,cn=config > does not exist > [13/Jun/2023:18:30:53.291514083 +0200] - INFO - slapi_vattrspi_regattr - > Because krbPwdPolicyReference is a new registered virtual attribute , > nsslapd-ignore-virtual-attrs was set to 'off' > [13/Jun/2023:18:30:53.294705207 +0200] - ERR - cos-plugin - > cos_dn_defs_cb - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=hep,dc=uniovi,dc=es--no CoS Templates found, which > should be added before the CoS Definition. > [13/Jun/2023:18:30:53.368375597 +0200] - ERR - schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [13/Jun/2023:18:30:53.371558464 +0200] - INFO - slapd_daemon - slapd > started. Listening on All Interfaces port 389 for LDAP requests > [13/Jun/2023:18:30:53.373717263 +0200] - INFO - slapd_daemon - Listening > on All Interfaces port 636 for LDAPS requests > [13/Jun/2023:18:30:53.375812804 +0200] - INFO - slapd_daemon - Listening > on /run/slapd-HEP-UNIOVI-ES.socket for LDAPI requests > [13/Jun/2023:18:30:53.684208319 +0200] - ERR - sidgen_task_thread - > [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [13/Jun/2023:18:30:53.715940639 +0200] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [10000] > into an unused SID. > [13/Jun/2023:18:30:53.718204134 +0200] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [13/Jun/2023:18:30:53.720659122 +0200] - ERR - sidgen_task_thread - > [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > [13/Jun/2023:18:30:58.389970158 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under ou=sudoers,dc=hep,dc=uniovi,dc=es > [13/Jun/2023:18:30:58.392957245 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under cn=ng, cn=compat,dc=hep,dc=uniovi,dc=es > [13/Jun/2023:18:30:58.468087968 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under cn=computers, > cn=compat,dc=hep,dc=uniovi,dc=es > [13/Jun/2023:18:30:58.470451507 +0200] - ERR - schema-compat-plugin - > Finished plugin initialization. > ... > > The last few lines seems to be the more important, right? Unfortunatelly > I don't know how to fix it or why this is causing a problem after the > last update. Any help or hint is very much welcome. > > Isidro > > El 13/06/2023 a las 16:34, Rob Crittenden escribió: >> GoNiS via FreeIPA-users wrote: >>> I tried the trick of running: >>> >>> ipa config-mod --add-sids --enable-sid >>> >>> on my 2 ipa servers (one in 8 and one in 9) and it did not cure the >>> authentication problem for my clients hitting the newest sever. >>> >>> The disable_pac=true trick did the work, but it is unsafe. >>> >>> I wonder if I need to issue the ipa idrange... command as proposed by >>> Charles some messages above. >> You should look in /var/log/dirsrv/slapd-REALM/error_log to see if the >> sids enablement ran into problems. It should tell you where it failed, >> if it did. >> >> rob >> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue