Thanks will go through it. On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <[email protected]> wrote:
> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >Could you please help me with those threads here to regenerate sid’s. > > https://access.redhat.com/articles/7027037 > > > > > > >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <[email protected]> > >wrote: > > > >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >Yeah, > >> >But my default id range starts with 770000 but all my existing > >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like this. > >> >Here I am facing an issue. > >> > > >> >That's why I am creating users with default id range and then later I > am > >> >modifying it via uid's as per my infrastructure then ipantuserattrs > >> created > >> >and I am able to authenticate with password. > >> > >> This is wrong. > >> > >> > > >> >Can you suggest to me that with this setup i can easily handle 350Users > >> for > >> >around 400 servers across different different locations with cache of > >> >storing on ipa clients. > >> > >> As I already said in other threads, create additional ID range that > >> covers your 4-digit IDs, then re-run SID generation to make sure those > >> users get proper SIDs. > >> > >> This is covered in the KCS. > >> > >> > > >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <[email protected] > > > >> >wrote: > >> > > >> >> Please don't drop mailing list. > >> >> > >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >> >Hey Alexander, > >> >> > > >> >> >Thanks For the Reply. > >> >> > > >> >> >But in my case i have fixed it by recreating the user on Ipa web UI > and > >> >> >observing ipantuserattrs created password logins are working fine. > >> >> > > >> >> >But do I face any issues if I try to modify the base id range > >> manually? as > >> >> >per redhat docs which is not recommended to modify. > >> >> > >> >> If you have re-created your user and that new one works, it means > >> >> underlying infrastructure works properly. Older user entries need to > be > >> >> fixed. Preferrably through a new ID range, if those entries use IDs > >> >> which are outside of the main ID range. > >> >> > >> >> > > >> >> >Also on ipa 4.11 they support dedicated ssh key based > >> >> >authentication.Ofcourse now also its working. > >> >> > > >> >> >My setup is that I have internal dns which is handled by a puppet > and > >> >> >slowly will move it to a dedicated internal dns server so that's > why i > >> >> >opted for ipa installation without dns. > >> >> > > >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < > [email protected] > >> > > >> >> >wrote: > >> >> > > >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: > >> >> >> >Hi Rob, > >> >> >> >Thank you for your email. I've identified the issue. > >> >> >> >When attempting to create a user using the 'ipa user-add' command > >> and > >> >> >> >defining the UID and GID according to my specifications, the UID > >> falls > >> >> >> >within the 4-digit range, for instance, 4141. The > >> >> >> >IPA IDs range during installation was set to 770000. Users > created > >> >> within > >> >> >> >this range are accepted with their passwords. However, users > created > >> >> with > >> >> >> >UIDs like 4141 or 4142 encounter issues. > >> >> >> > > >> >> >> >Looks like attributes, were not creating > >> >> >> > > >> >> >> >objectclass: top, person, organizationalperson, inetorgperson, > >> >> inetuser, > >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, > >> >> ipasshuser, > >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs > >> >> >> > > >> >> >> >If i mention uid and gid using ipa user-add command > >> >> >> >ipantuserattrs is not getting create. > >> >> >> > > >> >> >> >I tried to modify default range but it dint happened. > >> >> >> > >> >> >> See my answers in a parallel thread 'kinit fails on freeipa > master: > >> File > >> >> >> or directory not found'. > >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < > [email protected] > >> > > >> >> >> wrote: > >> >> >> > > >> >> >> >> Pradeep KNS wrote: > >> >> >> >> > Hi, > >> >> >> >> > I have installed an ipa with internal dns.After installing > >> updated > >> >> >> >> > entries on dns as well. > >> >> >> >> > > >> >> >> >> > My main criteria is to communicate with ipa clients with ssh > >> >> keybased > >> >> >> >> > authentication which is working fine. > >> >> >> >> > > >> >> >> >> > Today i tot of i want to test with password based > authentication > >> >> which > >> >> >> >> > is not happening.I dont know where i am missing > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > [[email protected] <mailto:[email protected]>]# ipa --version > >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 > >> >> >> >> > [[email protected] <mailto:[email protected]>]# > >> >> >> >> > > >> >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE > >> >> FOLLOWING > >> >> >> >> > BACKTRACE: > >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > [tgt_req_child] > >> >> >> >> > (0x1000): [RID#15] Password was expired > >> >> >> >> > >> >> >> >> The user's password is expired. > >> >> >> >> > >> >> >> >> IPA intends that only the end-user knows their password. So if > it > >> is > >> >> set > >> >> >> >> or reset by an administrator the user will need to change it. > >> >> >> >> > >> >> >> >> Is the user not prompted to reset it? > >> >> >> >> > >> >> >> >> rob > >> >> >> >> > >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >> >> [sss_krb5_responder] > >> >> >> >> > (0x4000): [RID#15] Got question [password]. > >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >> [map_krb5_error] > >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see > >> e-text)] > >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE > >> >> >> >> > ********************************* > >> >> >> >> > > >> >> >> >> > ssh log > >> >> >> >> > > >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> > >> >> >> sshd[11586]: > >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 > >> euid=0 > >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh > >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> > >> >> >> sshd[11586]: > >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error) > >> >> >> >> > Nov 23 19:33:18test-example.com <http://18test-example.com> > >> >> >> sshd[11584]: > >> >> >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1 > >> >> >> >> > Nov 23 19:33:20 test-example.com <http://test-example.com> > >> >> >> sshd[11584]: > >> >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 port > >> 47724 > >> >> >> >> > [preauth] > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> / Alexander Bokovoy > >> >> >> Sr. Principal Software Engineer > >> >> >> Security / Identity Management Engineering > >> >> >> Red Hat Limited, Finland > >> >> >> > >> >> >> > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> / Alexander Bokovoy > >> >> Sr. Principal Software Engineer > >> >> Security / Identity Management Engineering > >> >> Red Hat Limited, Finland > >> >> > >> >> > >> > >> > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
