lejeczek via FreeIPA-users wrote: > > > On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote: >> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users >> wrote: >>> Hi guys >>> >>> My IPA does not inject ipantsecurityidentifier (maybe more?) when >>> '--uid' is >>> used. >>> >>> Why is that and how to have or make IPA do 'ipantsecurityidentifier' >>> - would >>> anybody know? >> Hi, >> >> the ipantsecurityidentifier is typically added automatically by a >> plugin. But it needs an idrange which covers the UIDs and GIDs you want >> to add manually. You can add one with >> >> ipa idrange-add --type=ipa-local ...... >> >> There are some mandatory options which will let you specify the start >> and size of the ranges for the POSIX IDs and the RID part of the SIDs. > So, I failed to 'idrange-add' (I did not see '--type' is an argument > available) and I removed(successful clean uinstall) whole deployment and > installed anew with '--idstart' to match range of "old" IPA and now I > cannot "ssh" > > ... > Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209 > Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user > b209: 7 (Authentication failure) > > Samba clients can authenticate, IPA's UI also but not 'ssh', regardless > if '--uid' is used for 'user-add' or not. > Hmm, it is puzzling at best and total mystery at worst
Details are important. Can't ssh from what to what using what authentication type? Were all clients re-enrolled? Can you kinit as b209? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
