[Freeipa-users] FreeIPA and Samba4

[Alexander Bokovoy]

Please answer to the list.

On Fri, 30 Oct 2015, Troels Hansen wrote:
>> Not sure what you expect.
>>
>> Modifying attributes for existing users takes time so we don't do it
>> automatically. When you run ipa-adtrust-install, it does ask you to run
>> a task that does the work of generating SIDs and adding needed
>> attributes/object classes.
>>
>> However, ipaNTHash will not be there until either of two events happens:
>> - user changes password;
>> - user authenticates with Kerberos against Samba running on IPA master.
>
>No, I'm aware that the NTHash won't be there untill the user changes password.
>I would however suppose that objectClass ipaNTUserAttrs being added and a ipaNTSecurityIdentifier being added to all of my users.
>Its added to most objects, but I still need 85 users/objects where its not added, out of a total of ~500 (told by adtrust install script yesterday).
>Its been 14 hours since I ran it, but still need the remaining, and I have no idear why its not added.
You can check the task status.

See https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ how you can organize a task yourself or check the output from existing task.

The task that is run by the installer has DN cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
You can use /usr/share/ipa/ipa-sidgen-task-run.ldif as a basis to add a
task file.
-- 
/ Alexander Bokovoy