Yes. Check existing ID ranges to see if you have one that covers POSIX ID
755400050. If there is none, you need to create another ID range that
covers those users.

This typically comes from cases where POSIX IDs were assigned manually
or from already existing source via migration. At this point FreeIPA
would not have an ID range that covers these pre-allocated IDs.

So you need to define several variables here:

- base ID of the range
- range size -- enough to cover those existing users and groups that
are outside of IPA ID range
- RID bases -- since we are building SIDs for the same domain, the RID
base and secondary RID base should not be overlapping with existing
IPA ID range

For example, if you have 100 users starting around 755400000 and your
default IPA ID range has 200000 entries (default range size), then
mapping RID base above that one would be enough.

ipa idrange-add MY.DOM.AIN-extra_id_range --base-id=755400000 --range-size=100 \
--rid-base=500000 --secondary-rid-base=500100 \
--type=ipa-local

Adding this range would be enough -- there will not be any allocation of
POSIX IDs in the range but sidgen plugin will be able to use the range
to drive SID allocation.

Hey Jeff, that is also happening here, however only with users created after the ipa-adtrust-install. For example, the admin user fails to ever be authenticated despite numerous password resets, yet if I were to create a new account and reset it’s password it works fine.





From: Jeff Goddard <***@emerlyn.com>
Date: Wednesday, February 8, 2017 at 11:21 AM
To: Alexander Bokovoy <***@redhat.com>
Cc: Armaan Esfahani <***@advancedopen.com>, <freeipa-***@redhat.com>
Subject: Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?



I had this same issue and the value was only added after a password change.

Jeff





On Wed, Feb 8, 2017 at 11:10 AM, Alexander Bokovoy <***@redhat.com> wrote:

On ke, 08 helmi 2017, Armaan Esfahani wrote:

I’ve been having issues with some of my IPA seemingly not getting SID’s
after the install, even after running with the –add-sids modifier. I
was wondering where the SID values are located so that I can take a
look at what’s happening/

In the user object itself, ipaNTSecurityIdentifier attribute.

If you have SIDs not generated, there are two potential issues that
cause it:
- sidgen plugin configuration looking at wrong basedn
- ID ranges you have do not allow to map UID/GID to SID

If you ran ipa-adtrust-install --add-sids and it generated nothing, look
at /var/log/dirsrv/slapd-INSTANCE/errors log file. There should be at
least two lines:

[01/Feb/2017:14:28:24.189906631 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[01/Feb/2017:14:28:24.192039515 +0100] sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [0].

If there are any errors causing issues with SID generation, they will be
in between these two lines.