Migrated IdM users unable to log in due to mismatching domain SIDs

Solution Verified - Updated 13 Jun 2024

Environment

IPA/IdM
You have used the ipa migrate-ds script to migrate users from one IdM deployment to another

Issue

After migrating users from one IdM deployment to another with the ipa migrate-ds script, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment.

See the following errors in /var/log/krb5kdc.log:

Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims
domain SID different to local domain SID or any trusted domain SID: local
[S-1-5-21-997841278-3584560916-1456654135], PAC
[S-1-5-21-2108153867-2082035330-3701898995]

Resolution

There are two options:

You can recreate the users manually.
You can remove outdated SID information from those users.

To remove outdated SID information from previously existing IdM users:

Use ldapmodify commands to replace the ipaNTSecurityIdentifier value in the user's LDAP entry with the right one. Remove both of the following attributes at the same time because the ipaNTUserAttrs object class has MUST on
ipaNTSecurityIdentifier

  objectclass: ipaNTUserAttrs
  ipaNTSecurityIdentifier: <value>

If you have groups with SIDs from wrong domains, do the same for them with these attributes:

  objectclass: ipaNTGroupAttrs
  ipaNTSecurityIdentifier: <value>

After removal of the values from all 'offending' entries, run

kinit admin
ipa config-mod --add-sids --enable-sid

This will force a re-issue of SIDs to accounts where they are missing. This process may take a long time. After this process completes, the IdM server will be restarted.

Root Cause

IdM enforces the guideline that all accounts in the same domain must have the SID from that domain. The ipa migrate-ds migration script does not filter out previously existing SID information from users, and new IdM environments will have a different domain SID from the users.

Diagnostic Steps

See the following errors in /var/log/krb5kdc.log:

Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-997841278-3584560916-1456654135], PAC
[S-1-5-21-2108153867-2082035330-3701898995]
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ : handle_authdata (-1765328364)
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: HANDLE_AUTHDATA: authtime 1642094138, etypes
{rep=UNSUPPORTED:(0)} testuser(a)EXAMPLE.COM for HTTP/ipa.example.com(a)EXAMPLE.COM, TGT has been revoked

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

Category

Migrate

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.