After migrating users from one IdM deployment to another with the
ipa migrate-ds script, those users might have problems using IdM services because their previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM environment.
See the following errors in /var/log/krb5kdc.log:
Jan 13 09:15:38 ipa.example.com krb5kdc(Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-997841278-3584560916-1456654135], PAC [S-1-5-21-2108153867-2082035330-3701898995]
- You have used the
ipa migrate-dsscript to migrate users from one IdM deployment to another
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.