Hey Jeff, that is also happening here, however only with users created after 
the ipa-adtrust-install. For example, the admin user fails to ever be 
authenticated despite numerous password resets, yet if I were to create a new 
account and reset it’s password it works fine.

 

 

From: Jeff Goddard <jgodd...@emerlyn.com>
Date: Wednesday, February 8, 2017 at 11:21 AM
To: Alexander Bokovoy <aboko...@redhat.com>
Cc: Armaan Esfahani <armaan.esfah...@advancedopen.com>, 
<freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

 

I had this same issue and the value was only added after a password change.

Jeff

 

 

On Wed, Feb 8, 2017 at 11:10 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:

On ke, 08 helmi 2017, Armaan Esfahani wrote:

I’ve been having issues with some of my IPA seemingly not getting SID’s
after the install, even after running with the –add-sids modifier. I
was wondering where the SID values are located so that I can take a
look at what’s happening/

In the user object itself, ipaNTSecurityIdentifier attribute.

If you have SIDs not generated, there are two potential issues that
cause it:
- sidgen plugin configuration looking at wrong basedn
- ID ranges you have do not allow to map UID/GID to SID

If you ran ipa-adtrust-install --add-sids and it generated nothing, look
at /var/log/dirsrv/slapd-INSTANCE/errors log file. There should be at
least two lines:

[01/Feb/2017:14:28:24.189906631 +0100] sidgen_task_thread - [file 
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[01/Feb/2017:14:28:24.192039515 +0100] sidgen_task_thread - [file 
ipa_sidgen_task.c, line 199]: Sidgen task finished [0].

If there are any errors causing issues with SID generation, they will be
in between these two lines.


-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to