Nerdier

Adjective: Comparative form of nerdy: more nerdy.

freeipa: ipaNTSecurityIdentifier and ipaNTHash missing.

I had an issue where I could not get ipaNTHash to generate for existing users after a password change, but it was applied to new users fine. Fix:

Run ipa-adtrust-install and type yes for all.

After it’s installed, check the log for errors.

[user@ipa]# grep sidgen /var/log/dirsrv/slapd-REALM/errors
[05/Mar/2018:16:38:21.413263300 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[05/Mar/2018:16:38:24.144362736 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1482300500] into an unused SID.
[05/Mar/2018:16:38:24.144764450 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.

If this exists, you need to add an ID range under IPA Server – ID Ranges (in the webui) that contains all the Posix IDs missing, You can check what IDs you currently have with ldapsearch on users

ldapsearch -h ipa.example.com -x -D 'cn=Directory Manager' -b "cn=accounts,dc=example,dc=com" -W '(uid=*)' | grep -E "(uid|gid)"Number | awk '{print $2}' | sort | uniq | sort -n

Once you have added the missing ranges, run the ipa-adtrust-install again and it should take a while to generate all the SIDs. If not, check for new range issues (I had a couple..) then if you do an ldap search on a user, the ipaNTSecurityIdentifier should show up. To generate the ipaNTHash on an existing user they will need to change their password to force the generation.

 

Leave a Reply

Your email address will not be published. Required fields are marked *