Migrated IdM users unable to log in due to mismatching domain SIDs
Issue
After migrating users from one IdM deployment to another with the ipa migrate-ds
script, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment.
See the following errors in /var/log/krb5kdc.log:
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims
domain SID different to local domain SID or any trusted domain SID: local
[S-1-5-21-997841278-3584560916-1456654135], PAC
[S-1-5-21-2108153867-2082035330-3701898995]
Environment
- IPA/IdM
- You have used the
ipa migrate-ds
script to migrate users from one IdM deployment to another
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.