[Freeipa-users] Re: kinit fails on freeipa master: File or directory not found

[Alexander Bokovoy via FreeIPA-users]

On Пан, 27 ліс 2023, David Leeuwestein wrote:

Hello Alexander,

Please provide this user entry's content and the output of 'ipa idrange-find'.

If you cannot get 'kinit' working for admin, then try the following
command as root on the IPA server:

# ipa -e in_server=True user-show admin --all --raw |grep -E -v -i '(password|principalkey|nthash)'

# ipa -e in_server=True idrange-find

Thanks a lot for peeking into this issue. I provided the details you requested below. 'kinit' works for the admin account but fails with every other account.

$ ipa  user-show --all

dn: uid=username,cn=users,cn=accounts,dc=intern,dc=example,dc=de
  User login: username
  First name: -
  Last name: -
  Full name: -
  Display name: -
  Home directory: /home/leeuwestein
  Login shell: /bin/bash
  Principal name: leeuwest...@intern.example.de
  Principal alias: leeuwest...@intern.astaexample.de
  User password expiration: 20241123235532Z
  Email address: usern...@example.de
  UID: 1731
  GID: 100

This gidNumber is out of any known ID range.

  Car License: -
  SSH public key: ssh-rsa AAAAB3NzaC1yc

  SSH public key fingerprint: SHA256:+tU
  User authentication types: password, radius, pkinit, hardened, idp
  Account disabled: False
  Preserved user: False
  Password: True
  Member of groups: humans, ipausers, ....
  Indirect Member of group: ....
  Indirect Member of Sudo rule: ...
  Indirect Member of HBAC rule: admins_login
  Kerberos keys available: True
  ipantsecurityidentifier: S-1-5-21-385029999-2513500810-4281905551-5000731

this SID and Samba SID are different:

  sambasid: S-1-5-21-3236374480-3602790372-206088821-3462

We ignore SambaSID value in FreeIPA so it is mostly inconsistency for
your own software and is probably a migration artefact.

However, the SID we know about this user should be within the domain SID
of IPA domain. Can you show the output of

 ipa trustconfig-show

?

If the domain SID is not the same as
S-1-5-21-385029999-2513500810-4281905551, that is your problem.

  ipauniqueid: af068fc8-3dd4-11ed-9208-000c295d8b72

  krbextradata: AAL0N2FlbGVldXdlc3RlaW5ASU5URVJOLkFTVEEuVU5JLUxVRUJFQ0suREUA

  krblastadminunlock: 20231124235422Z
  krblastpwdchange: 20231124235532Z
  krbticketflags: 128

  objectclass: krbticketpolicyaux, inetuser, sambasamaccount, posixaccount, inetorgperson, person, organizationalperson, ipaobject,                top, ipasshuser, ipasshgroupofpubkeys, shadowaccount, krbprincipalaux, ipauserauthtypeclass, ipantuserattrs

  registeredaddress: david.leeuwest...@student.uni-luebeck.de
  sambapwdlastset: 1700870132
  sambasid: S-1-5-21-3236374480-3602790372-206088821-3462
  shadowlastchange: 19685
  shadowmax: 99999
  shadowmin: 0
  shadowwarning: 7

$ ipa idrange-find

ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: INTERN.ASTA.UNI-LUEBECK.DE_id2_range
  First Posix ID of the range: 1000
  Number of IDs in the range: 100000
  First RID of the corresponding RID range: 5000000
  First RID of the secondary RID range: 600000
  Range type: local domain range

  Range name: INTERN.ASTA.UNI-LUEBECK.DE_id_range
  First Posix ID of the range: 690800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: INTERN.ASTA.UNI-LUEBECK.DE_subid_range
  First Posix ID of the range: 2147483648
  Number of IDs in the range: 2147352576
  First RID of the corresponding RID range: 2147283648
  Domain SID of the trusted domain: S-1-5-21-738065-838566-1437684047
  Range type: Active Directory domain range
----------------------------
Number of entries returned 3

----------------------------

$ ipa -e in_server=True config-show --raw |grep ipakrbauthzdata

ipakrbauthzdata: MS-PAC
ipakrbauthzdata: nfs:NONE

It filters out any field with those three words in the name so that we
don't see your user's credentials but still get the rest.
Most of what I am going to suggest based on that output was already
discussed on this list in past couple months in the thread 'ipa CLI
doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC' so
you can use
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/

to browse archives.

Thanks for the tip on the topic already discussed on this list. Please, believe me, I have already spent ages researching this issue. I don't know what to look for anymore. Could you give me a hint on which direction I should look?

Make sure you have a proper domain SID and that user/group SIDs are
within that domain SID. Given that this is most likely an old deployment
that was trying to serve data which most likely predates IPA
installation itself, there might be inconsistencies like that.

For SID generation, aside from domain SID, we require ID ranges that can
cover uidNumber/gidNumber values and have RID offsets defined. You have
those, more or less.

For MS-PAC generation we require principal entries to have object SIDs
within the IPA domain.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue