Description of problem: ipa user-add does not create ipantsecurityidentifier when --ui= d is used (creates ipantsecurityidentifier when `--uid` is NOT used) Version-Release number of selected component (if applicable): ipa-client-4.10.1-7.el9_2.x86_64 ipa-server-4.10.1-7.el9_2.x86_64 How reproducible: always Steps to Reproduce: 1. kinit admin 2. klist 3. ipa config-mod --enable-sid --add-sids # may not be required for fresh install (https://access.redhat.com/solutions/7015184) 4. ipa user-add toto --first=t --last=oto --uid=2000 5. ipa user-show toto --all|grep ipantsecurityidentifier Actual results: ipa user-show toto --all|grep ipantsecurityidentifier find nothing whereas ipa user-del toto && ipa user-add toto --first=t --last=oto && ipa user-show toto --all|grep ipantsecurityidentifier find nothing is listing an ipantsecurityidentifier value Expected results: with/without --uid should work out of the box Additional info: without ipantsecurityidentifier value, the newly created user can not authentificate according to "root cause" of https://access.redhat.com/solutions/7015184
The sidgen plugin (the plugin that is generating the ipantsecurityidentifier) is triggered on user creation, even if --uid is provided. But it can generate a SID only if the uid is within an existing id range. Can you check on your installation: - which ID ranges are defined: # kinit admin # ipa idrange-find - if there is an error in the directory server error logs (/var/log/dirsrv/slap-DOMAIN-NAME/errors) similar to the following when a new user is created with a provided uid: [03/Jul/2023:06:19:27.761510134 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [03/Jul/2023:06:19:27.765214399 +0000] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
Hello Florence That make sense, RFE some warning/errors should be shown when the ipantsecurityidentifier is not generated as expected. Here is the info requested: ``` [truadm@wd22-2025 ~]$ ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: RHEL9.SIA_id_range First Posix ID of the range: 1759400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: RHEL9.SIA_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1547823303 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- ```
/var/log/dirsrv/slapd-RHEL9-SIA/errors: ``` [02/Jul/2023:13:33:08.170775670 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:33:08.171286895 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [02/Jul/2023:13:37:36.738145777 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:37:36.738663137 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. ```
The IPA SIDGEN plugin is defined as a postoperation plugin => when IPA gets the result of the add/modify operation, the plugin may have not be executed yet and IPA has no idea whether the sid generation succeeds or fails. We have multiple options here: - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, add a warning but create the user or group anyway - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, refuse to create the user/group - evaluate the cost of rewriting the plugin as a transaction post-op plugin. To be discussed at team level.
I have installed a fresh Fedora 38 and this is also the case: [truadm@ipa ~]$ rpm -q freeipa-server freeipa-client freeipa-server-4.10.1-4.fc38.x86_64 freeipa-client-4.10.1-4.fc38.x86_64 [truadm@lts2004-nuc ~]$ klist Ticket cache: KCM:1000 Default principal: admin Valid starting Expires Service principal 07/04/2023 09:02:00 07/05/2023 08:20:50 krbtgt/HOME.LAN [truadm@nuc ~]$ ipa user-add toto --first=t --last=oto ----------------- Added user "toto" ----------------- User login: toto First name: t Last name: oto Full name: t oto Display name: t oto Initials: to Home directory: /home/toto GECOS: t oto Login shell: /bin/sh Principal name: toto Principal alias: toto Email address: toto UID: 1779600003 GID: 1779600003 Password: False Member of groups: ipausers Kerberos keys available: False [truadm@nuc ~]$ ipa user-find toto --all -------------- 1 user matched -------------- dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan User login: toto First name: t Last name: oto Full name: t oto Display name: t oto Initials: to Home directory: /home/toto GECOS: t oto Login shell: /bin/sh Principal name: toto Principal alias: toto Email address: toto UID: 1779600003 GID: 1779600003 Account disabled: False Preserved user: False Member of groups: ipausers ipantsecurityidentifier: S-1-5-21-1964266303-1880706590-3447306255-1003 ipauniqueid: b95e6950-1a38-11ee-8b4f-c03fd56b882d mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs ---------------------------- Number of entries returned 1 ---------------------------- [truadm@nuc ~]$ ipa user-del toto ------------------- Deleted user "toto" ------------------- [truadm@nuc ~]$ ipa user-add toto --first=t --last=oto --uid=2000 ----------------- Added user "toto" ----------------- User login: toto First name: t Last name: oto Full name: t oto Display name: t oto Initials: to Home directory: /home/toto GECOS: t oto Login shell: /bin/sh Principal name: toto Principal alias: toto Email address: toto UID: 2000 GID: 2000 Password: False Member of groups: ipausers Kerberos keys available: False [truadm@nuc ~]$ ipa user-find toto --all -------------- 1 user matched -------------- dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan User login: toto First name: t Last name: oto Full name: t oto Display name: t oto Initials: to Home directory: /home/toto GECOS: t oto Login shell: /bin/sh Principal name: toto Principal alias: toto Email address: toto UID: 2000 GID: 2000 Account disabled: False Preserved user: False Member of groups: ipausers ipauniqueid: ce0ae8a6-1a38-11ee-ba39-c03fd56b882d mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- can this be RFE upstream too? Thanks Tru
(In reply to tru from comment #5) > can this be RFE upstream too? ipa development is done upstream first. When the team decides on a proper way to fix the issue, the patch will be submitted with an upstream PR to https://github.com/freeipa/freeipa/ and the code merged to https://pagure.io/freeipa.