Hey Jeff, that is also happening here, however only with users created after the ipa-adtrust-install. For example, the admin user fails to ever be authenticated despite numerous password resets, yet if I were to create a new account and reset it’s password it works fine.
From: Jeff Goddard <jgodd...@emerlyn.com> Date: Wednesday, February 8, 2017 at 11:21 AM To: Alexander Bokovoy <aboko...@redhat.com> Cc: Armaan Esfahani <armaan.esfah...@advancedopen.com>, <email@example.com> Subject: Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install? I had this same issue and the value was only added after a password change. Jeff On Wed, Feb 8, 2017 at 11:10 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: On ke, 08 helmi 2017, Armaan Esfahani wrote: I’ve been having issues with some of my IPA seemingly not getting SID’s after the install, even after running with the –add-sids modifier. I was wondering where the SID values are located so that I can take a look at what’s happening/ In the user object itself, ipaNTSecurityIdentifier attribute. If you have SIDs not generated, there are two potential issues that cause it: - sidgen plugin configuration looking at wrong basedn - ID ranges you have do not allow to map UID/GID to SID If you ran ipa-adtrust-install --add-sids and it generated nothing, look at /var/log/dirsrv/slapd-INSTANCE/errors log file. There should be at least two lines: [01/Feb/2017:14:28:24.189906631 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [01/Feb/2017:14:28:24.192039515 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished . If there are any errors causing issues with SID generation, they will be in between these two lines. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project