Ok, maybe you are missing some id range...
Let's check this page, just to point in the right direction:
https://www.linuxsysadmins.com/ipa-error-4203-databaseerror/
(I had that error, after a couple of migration: CentOS 7 -> CentOS 8
stream -> RHEL 9).
Briefly:
- "ipa idrange-find" should give id range (and subid range, but ignore
it for now): write down "First Posix ID..." and "Number of IDs..."
- "ipa-replica-manage dnarange-show" should give current dna ranges
(maybe you have no dna range right now)
- create dna ranges with "ipa-replica-manage dnarange-set
server1.ipa.example.com 10000-20000" for every domain controller (range
should be different for every server and included in range got from
idrange-find)
If you manage to have correct ID ranges (and DNA ranges), don't forget
to fire the sids creation command at end.
This procedure helped me to solve, I don't know if this is the correct
way to go. Maybe some list guru out there can correct me.
Good luck.
On 31/01/2024 18:17, Steve Berg via FreeIPA-users wrote:
Yep, most of the users do not have that SID. Looks like just users that
are in the ID range because they don't have an EDIPI or users that were
created recently.
Ran the --enable-sid and --add-sids but nothing changed. All the users
that were missing the SID before still are.
On 1/31/24 10:06, Giulio Casella via FreeIPA-users wrote:
Uhm.. I had a similar problem recently (but not identical), and it
smells as a missing SID problem.
You can try:
ipa user-show admin --all | grep -i ipantsecurityidentifier
You should see the SID for user admin.
Now try the same with your account:
ipa user-show <yourusername> --all | grep -i ipantsecurityidentifier
If nothing appears your user (and probably many other) is missing SID.
If this is the case you can try:
ipa config-mod --enable-sid --add-sids
HTH
Ciao,
gc
On 31/01/2024 16:18, Steve Berg via FreeIPA-users wrote:
For a few weeks now I've been seeing a problem getting authenticated
to my ipa domain. I can get command line and web UI stuff done by
using the admin user but if I get a ticket using my account which is
in the admins group I get the following on the web UI:
Your session has expired. Please log in again.
On the command line any ipa commands I've tried so far give me:
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
Getting a ticket as admin on command line lets me run ipa commands
with no problem. I think I've got all pertinent certificates loaded
up properly. Gonna try a reboot on one of the servers shortly. I
have 4 servers on r different vlans, replication between seems to be
working properly.
I think the problem is most of the user ID's we use on this domain
are not in the ID range configured. We let the install choose a
default range when we first set this up. Most of our users have a
UID based on their EDIPI # which is a 32-bit ID assigned when a user
first gets a DoD CAC. They're usually 10 digits long.
For instance the lowest EDIPI based UID we have currently is
something like 1004201873 and the largest is 1658224121. (I made
those but they're close to the actual UIDs.)
ipa idrange-find show me this, (did some masking of the info):
Range name: domain_id_range
First Posix ID of the range: 824xxx000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range name: domain_subid_range
First Posix ID of the range: 214xxx3648
Number of IDs in the range: 214xxx2576
First RID of the corresponding RID range: 214xxx3648
Domain SID of the trusted domain: S-1-5-21-xxxxxx-83xx66-82xxx729
Range type: Active Directory domain range
Should I adjust the range that's already there or add a third that
encompasses the likely range of numbers I'm gonna see in the future?
I started to add a range with appropriate values but when it wanted
the primary and secondary RID base values I was not sure how to
figure that out or estimate.
--
//- Fixer of that which is broke -//
//- Home =sb...@mississippi.com -//
//- Sinners can repent, but stupid is forever. -//
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Giulio Casella giulio at di.unimi.it
System and network architect
Computer Science Dept. - University of Milano
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
