Migrated IdM users unable to log in due to mismatching domain SIDs

Solution Verified - Updated -


After migrating users from one IdM deployment to another with the ipa migrate-ds script, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment.

See the following errors in /var/log/krb5kdc.log:

Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims
domain SID different to local domain SID or any trusted domain SID: local
[S-1-5-21-997841278-3584560916-1456654135], PAC


  • IPA/IdM
  • You have used the ipa migrate-ds script to migrate users from one IdM deployment to another

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content