ok but in my case i don't use AD,Windows authentication or replica etc, just the centralised authentication system all are redhat os installed servers. In this case also i need to create a base RID?
On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <[email protected]> wrote: > On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >Alexander, > > > >Thanks for that document.Bit of that i did it but it dint worked looks > like > >i might followed some wrong steps. > > > >My default id range mentioned below > >ipa idrange-find --all --raw > >---------------- > >2 ranges matched > >---------------- > > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX > > cn: REALM_id_range > > ipabaseid: 771000000 > > ipaidrangesize: 200000 > > ipabaserid: 1000 > > ipasecondarybaserid: 100000000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX > > cn: REALM_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2147283648 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > > > >################################## > >Manually created ID range > > > >[root@ipa-mum1 ~]# ipa idrange-find --all --raw > >---------------- > >3 ranges matched > >---------------- > > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX > > cn: REALM_id_new_range > > ipabaseid: 1000 > > ipaidrangesize: 200000 > > iparangetype: ipa-local > > objectclass: ipaIDrange > > objectclass: ipadomainidrange > > You created a new ID range but this range has no RID bases. Therefore, > the range cannot be used for SID assignment. > > The KCS article has a section about RID bases and how to choose them, > please follow that. > > > > >Then i created the user name called test user post it dint created > expected > >user attribute > > > >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189 > >--gidnumber=4141 --password > >root@ipa ~]# ipa user-show testuser --all > > dn: uid=testuser,cn=users,cn=accounts,dc=real > > User login: testuser > > First name: Test > > Last name: User > > Full name: Test User > > Display name: Testuser > > Initials: TU > > Home directory: /home/testuser > > GECOS: Test User > > Login shell: /bin/bash > > Principal name: [email protected] > > Principal alias: [email protected] > > User password expiration: 20231124144147Z > > UID: 5189 > > GID: 4141 > > Account disabled: False > > Preserved user: False > > Password: True > > Member of groups: ipausers > > Kerberos keys available: True > > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 > > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= > > krblastadminunlock: 20231124144147Z > > krblastpwdchange: 20231124144147Z > > krbloginfailedcount: 0 > > mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com > > objectclass: top, person, organizationalperson, inetorgperson, inetuser, > >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, > >ipaSshGroupOfPubKeys, mepOriginEntry > > > >The above method followed but after creating another id range manually, I > >don't know where I missed post creation of ranges, for somehow it didn't > >work. That's why I followed that generic method creating users and > >modifying it manually. > >PLease suggest me. > > > >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <[email protected]> > >wrote: > > > >> Thanks will go through it. > >> > >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <[email protected]> > >> wrote: > >> > >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >Could you please help me with those threads here to regenerate sid’s. > >>> > >>> https://access.redhat.com/articles/7027037 > >>> > >>> > > >>> > > >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy < > [email protected]> > >>> >wrote: > >>> > > >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >Yeah, > >>> >> >But my default id range starts with 770000 but all my existing > >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like > >>> this. > >>> >> >Here I am facing an issue. > >>> >> > > >>> >> >That's why I am creating users with default id range and then > later I > >>> am > >>> >> >modifying it via uid's as per my infrastructure then ipantuserattrs > >>> >> created > >>> >> >and I am able to authenticate with password. > >>> >> > >>> >> This is wrong. > >>> >> > >>> >> > > >>> >> >Can you suggest to me that with this setup i can easily handle > >>> 350Users > >>> >> for > >>> >> >around 400 servers across different different locations with cache > of > >>> >> >storing on ipa clients. > >>> >> > >>> >> As I already said in other threads, create additional ID range that > >>> >> covers your 4-digit IDs, then re-run SID generation to make sure > those > >>> >> users get proper SIDs. > >>> >> > >>> >> This is covered in the KCS. > >>> >> > >>> >> > > >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < > >>> [email protected]> > >>> >> >wrote: > >>> >> > > >>> >> >> Please don't drop mailing list. > >>> >> >> > >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >> >Hey Alexander, > >>> >> >> > > >>> >> >> >Thanks For the Reply. > >>> >> >> > > >>> >> >> >But in my case i have fixed it by recreating the user on Ipa web > >>> UI and > >>> >> >> >observing ipantuserattrs created password logins are working > fine. > >>> >> >> > > >>> >> >> >But do I face any issues if I try to modify the base id range > >>> >> manually? as > >>> >> >> >per redhat docs which is not recommended to modify. > >>> >> >> > >>> >> >> If you have re-created your user and that new one works, it means > >>> >> >> underlying infrastructure works properly. Older user entries need > >>> to be > >>> >> >> fixed. Preferrably through a new ID range, if those entries use > IDs > >>> >> >> which are outside of the main ID range. > >>> >> >> > >>> >> >> > > >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based > >>> >> >> >authentication.Ofcourse now also its working. > >>> >> >> > > >>> >> >> >My setup is that I have internal dns which is handled by a > puppet > >>> and > >>> >> >> >slowly will move it to a dedicated internal dns server so that's > >>> why i > >>> >> >> >opted for ipa installation without dns. > >>> >> >> > > >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < > >>> [email protected] > >>> >> > > >>> >> >> >wrote: > >>> >> >> > > >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: > >>> >> >> >> >Hi Rob, > >>> >> >> >> >Thank you for your email. I've identified the issue. > >>> >> >> >> >When attempting to create a user using the 'ipa user-add' > >>> command > >>> >> and > >>> >> >> >> >defining the UID and GID according to my specifications, the > UID > >>> >> falls > >>> >> >> >> >within the 4-digit range, for instance, 4141. The > >>> >> >> >> >IPA IDs range during installation was set to 770000. Users > >>> created > >>> >> >> within > >>> >> >> >> >this range are accepted with their passwords. However, users > >>> created > >>> >> >> with > >>> >> >> >> >UIDs like 4141 or 4142 encounter issues. > >>> >> >> >> > > >>> >> >> >> >Looks like attributes, were not creating > >>> >> >> >> > > >>> >> >> >> >objectclass: top, person, organizationalperson, > inetorgperson, > >>> >> >> inetuser, > >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, > >>> >> >> ipasshuser, > >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs > >>> >> >> >> > > >>> >> >> >> >If i mention uid and gid using ipa user-add command > >>> >> >> >> >ipantuserattrs is not getting create. > >>> >> >> >> > > >>> >> >> >> >I tried to modify default range but it dint happened. > >>> >> >> >> > >>> >> >> >> See my answers in a parallel thread 'kinit fails on freeipa > >>> master: > >>> >> File > >>> >> >> >> or directory not found'. > >>> >> >> >> > >>> >> >> >> > > >>> >> >> >> > > >>> >> >> >> > > >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < > >>> [email protected] > >>> >> > > >>> >> >> >> wrote: > >>> >> >> >> > > >>> >> >> >> >> Pradeep KNS wrote: > >>> >> >> >> >> > Hi, > >>> >> >> >> >> > I have installed an ipa with internal dns.After > installing > >>> >> updated > >>> >> >> >> >> > entries on dns as well. > >>> >> >> >> >> > > >>> >> >> >> >> > My main criteria is to communicate with ipa clients with > ssh > >>> >> >> keybased > >>> >> >> >> >> > authentication which is working fine. > >>> >> >> >> >> > > >>> >> >> >> >> > Today i tot of i want to test with password based > >>> authentication > >>> >> >> which > >>> >> >> >> >> > is not happening.I dont know where i am missing > >>> >> >> >> >> > > >>> >> >> >> >> > > >>> >> >> >> >> > [[email protected] <mailto:[email protected]>]# ipa > --version > >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 > >>> >> >> >> >> > [[email protected] <mailto:[email protected]>]# > >>> >> >> >> >> > > >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY > THE > >>> >> >> FOLLOWING > >>> >> >> >> >> > BACKTRACE: > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> [tgt_req_child] > >>> >> >> >> >> > (0x1000): [RID#15] Password was expired > >>> >> >> >> >> > >>> >> >> >> >> The user's password is expired. > >>> >> >> >> >> > >>> >> >> >> >> IPA intends that only the end-user knows their password. So > >>> if it > >>> >> is > >>> >> >> set > >>> >> >> >> >> or reset by an administrator the user will need to change > it. > >>> >> >> >> >> > >>> >> >> >> >> Is the user not prompted to reset it? > >>> >> >> >> >> > >>> >> >> >> >> rob > >>> >> >> >> >> > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> >> [sss_krb5_responder] > >>> >> >> >> >> > (0x4000): [RID#15] Got question [password]. > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> [map_krb5_error] > >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see > >>> >> e-text)] > >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE > >>> >> >> >> >> > ********************************* > >>> >> >> >> >> > > >>> >> >> >> >> > ssh log > >>> >> >> >> >> > > >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11586]: > >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= > uid=0 > >>> >> euid=0 > >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh > >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11586]: > >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System > >>> error) > >>> >> >> >> >> > Nov 23 19:33:18test-example.com < > http://18test-example.com> > >>> >> >> >> sshd[11584]: > >>> >> >> >> >> > error: PAM: Authentication failure for harsh from > 10.10.1.1 > >>> >> >> >> >> > Nov 23 19:33:20 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11584]: > >>> >> >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 > >>> port > >>> >> 47724 > >>> >> >> >> >> > [preauth] > >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> -- > >>> >> >> >> / Alexander Bokovoy > >>> >> >> >> Sr. Principal Software Engineer > >>> >> >> >> Security / Identity Management Engineering > >>> >> >> >> Red Hat Limited, Finland > >>> >> >> >> > >>> >> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> -- > >>> >> >> / Alexander Bokovoy > >>> >> >> Sr. Principal Software Engineer > >>> >> >> Security / Identity Management Engineering > >>> >> >> Red Hat Limited, Finland > >>> >> >> > >>> >> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> / Alexander Bokovoy > >>> >> Sr. Principal Software Engineer > >>> >> Security / Identity Management Engineering > >>> >> Red Hat Limited, Finland > >>> >> > >>> >> > >>> > >>> > >>> > >>> > >>> -- > >>> / Alexander Bokovoy > >>> Sr. Principal Software Engineer > >>> Security / Identity Management Engineering > >>> Red Hat Limited, Finland > >>> > >>> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
