Thanks to Paul for all the leg work on this issue. Based on that, I can confirm that we have the same problem after updating to 4.9.12-11 from 4.9.11-7. Running the oddjob command to add SIDs to the user accounts fails after encountering UIDs outside of the default IPA range. It was able to get the admin account working though. We have 294 users with UIDs in the range of 1001 to 99657. These were migrated from an ancient NIS domain when the IPA domain was provisioned. We tried adding a secondary IPA range that covers that scope:
ipa idrange-add ID.EXAMPLE.COM_legacy_range --base-id=1000 --range-size=98899 And then running the oddjob command again, but we get the sidgen errors still, plus a error about overlapping rid ranges: [22/Jan/2024:15:09:50.398460268 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [22/Jan/2024:15:09:50.499604871 -0800] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [29034] into an unused SID. [22/Jan/2024:15:09:50.499960197 -0800] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [22/Jan/2024:15:09:50.503257753 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. [22/Jan/2024:15:09:55.035779436 -0800] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=id,dc=example,dc=com [22/Jan/2024:15:09:55.036238563 -0800] - ERR - schema-compat-plugin - Finished plugin initialization. [22/Jan/2024:15:47:04.969286883 -0800] - ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range overlaps with existing primary rid range. I suspect that we may not have added the range correctly. We didn't pass the --rid-base= or --secondary-rid-base= flags/values as we were not sure what these values should be. Any help would be much appreciated. Scott -----Original Message----- From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: Thursday, January 18, 2024 11:25 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Paul Nickerson <pgn...@gmail.com>; Rob Crittenden <rcrit...@redhat.com> Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working Paul Nickerson via FreeIPA-users wrote: > I confirmed that users who had an ipaNTSecurityIdentifier attribute could log > in to the web UI, and those that did not have the ipaNTSecurityIdentifier > attribute could not. > > I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you > said: > [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] > into an unused SID. > [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > I found some nice documentation at > https://access.redhat.com/solutions/394763 > > I used this command to see the ranges that I have configured: > ipa idrange-find > > And these two commands to see the UIDs of the users who had not yet been > given SIDs (some were inside the existing range; I think you're correct that > the process stops at the first error): > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory > Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H > ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b > "cn=deleted > users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > "# requesting: " | sed 's/uidNumber: //' | sort -n > > Here's some documentation on what ID and RID ranges are for: > https://www.freeipa.org/page/V3/ID_Ranges > > After doing a bunch of math and guess and check, I ran this: > ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 > --range-size=531251000 --rid-base=101000000 > --secondary-rid-base=633000000 > > That gave me an additional range (confirmed with ipa idrange-find). I ran ipa > config-mod --enable-sid --add-sids again, saw no significant errors in > /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were > 0 users left with no ipaNTSecurityIdentifier. > > All users are all set now. Thank you again. Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
