5 03 2018
freeipa: ipaNTSecurityIdentifier and ipaNTHash missing.
I had an issue where I could not get ipaNTHash to generate for existing users after a password change, but it was applied to new users fine. Fix:
Run ipa-adtrust-install and type yes for all.
After it’s installed, check the log for errors.
[user@ipa]# grep sidgen /var/log/dirsrv/slapd-REALM/errors [05/Mar/2018:16:38:21.413263300 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [05/Mar/2018:16:38:24.144362736 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1482300500] into an unused SID. [05/Mar/2018:16:38:24.144764450 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
If this exists, you need to add an ID range under IPA Server – ID Ranges (in the webui) that contains all the Posix IDs missing, You can check what IDs you currently have with ldapsearch on users
ldapsearch -h ipa.example.com -x -D 'cn=Directory Manager' -b "cn=accounts,dc=example,dc=com" -W '(uid=*)' | grep -E "(uid|gid)"Number | awk '{print $2}' | sort | uniq | sort -n
Once you have added the missing ranges, run the ipa-adtrust-install again and it should take a while to generate all the SIDs. If not, check for new range issues (I had a couple..) then if you do an ldap search on a user, the ipaNTSecurityIdentifier should show up. To generate the ipaNTHash on an existing user they will need to change their password to force the generation.
freeipa: ERROR: Deleting a managed group is not allowed. It must be detached first. Adding a user attribute in FreeIPA 4.x