On 12/03/2021 19:53, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
wrote:
Hi guys
My IPA does not inject ipantsecurityidentifier (maybe more?) when
'--uid' is
used.
Why is that and how to have or make IPA do 'ipantsecurityidentifier'
- would
anybody know?
Hi,
the ipantsecurityidentifier is typically added automatically by a
plugin. But it needs an idrange which covers the UIDs and GIDs you want
to add manually. You can add one with
???????? ipa idrange-add --type=ipa-local ......
There are some mandatory options which will let you specify the start
and size of the ranges for the POSIX IDs and the RID part of the SIDs.
So, I failed to 'idrange-add' (I did not see '--type' is an argument
available) and I removed(successful clean uinstall) whole deployment and
installed anew with '--idstart' to match range of "old" IPA and now I
cannot "ssh"
...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
b209: 7 (Authentication failure)
Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob
I cannot tell if it's relevant but I see in krb5_child.log:
...
(2021-03-12 23:24:35): [krb5_child[6104]] [get_and_save_tgt]
(0x0020): 1720: [-1765328361][Password has expired]
(2021-03-12 23:27:35): [krb5_child[6496]] [get_and_save_tgt]
(0x0020): 1720: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:35): [krb5_child[6496]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:40): [krb5_child[6509]] [get_and_save_tgt]
(0x0020): 1720: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:40): [krb5_child[6509]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed
...
also:
-> $ ipa user-show me --all
?? User password expiration: 20210312232815Z
which I reset with:
-> $ ipa user-mod me --password-expiration=20310312232428Z
but then when I re/set the password
-> $ ipa passwd me
-> $ ipa user-show me --all
?? User password expiration: 20210312233219Z <= gets reset?
But even with '20310312232428Z' showing I still cannot ssh.
In case 'sssd_implicit_files.log' may matter:
...
(2021-03-12 23:37:27): [be[implicit_files]]
[sbus_issue_request_done] (0x0040):
sssd.dataprovider.hostHandler: Error [1432158215]: DP target
is not configured
-> $ ipa pwpolicy-show
?? Group: global_policy
?? Max lifetime (days): 20000
?? Min lifetime (hours): 1
?? History size: 0
?? Character classes: 0
?? Min length: 8
?? Max failures: 6
?? Failure reset interval: 60
?? Lockout duration: 600
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
