Thanks Alexander, Appreciate your help and things are working as expected. On Fri, Dec 1, 2023 at 1:13 PM Alexander Bokovoy <[email protected]> wrote:
> On Пят, 01 сне 2023, Pradeep KNS wrote: > >Hey Alexander, > > > >I have tried installing a new IPA server with my expected ranges on my new > >site and its working fine.Thanks for the document. > > > >I have observed a couple of errors. POSIX ID's 4248,4141,4121,4258..etc. > >all are my infra group id's. > > > > > >[30/Nov/2023:05:17:36.931522914 -0500] - ERR - sidgen_task_thread - [file > >ipa_sidgen_task.c, line 194]: Sidgen task starts ... > >[30/Nov/2023:05:17:36.933841900 -0500] - ERR - sidgen_task_thread - [file > >ipa_sidgen_task.c, line 199]: Sidgen task finished [0]. > >[30/Nov/2023:05:17:41.443256202 -0500] - ERR - schema-compat-plugin - > >warning: no entries set up under ou=sudoers,dc=alpha-grep,dc=com > >[30/Nov/2023:05:17:41.449472986 -0500] - ERR - schema-compat-plugin - > >warning: no entries set up under cn=ng, cn=compat,dc=alpha-grep,dc=com > >[30/Nov/2023:05:17:41.456705946 -0500] - ERR - schema-compat-plugin - > >warning: no entries set up under cn=computers, > >cn=compat,dc=alpha-grep,dc=com > >[30/Nov/2023:05:17:41.457666134 -0500] - ERR - schema-compat-plugin - > >Finished plugin initialization. > >[30/Nov/2023:05:27:02.337803787 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4141] into > >an unused SID. > > 4141 is below base ID for the only ID range that could be used (starting > with 5000). You need to add a range similar to your $REALM_id_range but > which covers all these POSIX UID/GIDs. > > >[30/Nov/2023:05:27:02.338927487 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[30/Nov/2023:06:03:06.173948392 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4121] into > >an unused SID. > > Same here. > > >[30/Nov/2023:06:03:06.174922473 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[30/Nov/2023:06:22:36.616707461 -0500] - ERR - rid_to_sid_with_check - > >[file ipa_sidgen_common.c, line 384]: SID > >[S-1-5-21-3258431096-680571367-3483437258-16054] is already used. > > This SID is already used by some other object. > > >[30/Nov/2023:06:24:53.185373410 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4258] into > >an unused SID. > > Same here -- 4258 is below 5000. > > >[30/Nov/2023:06:24:53.186107898 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[30/Nov/2023:07:07:48.738323141 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into > >an unused SID. > > Same here. > > >[30/Nov/2023:07:07:48.739492958 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[30/Nov/2023:08:10:33.205867886 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into > >an unused SID. > >[30/Nov/2023:08:10:33.206759596 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[30/Nov/2023:08:33:53.787156179 -0500] - ERR - find_sid_for_ldap_entry - > >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into > >an unused SID. > >[30/Nov/2023:08:33:53.788186638 -0500] - ERR - ipa_sidgen_add_post_op - > >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. > >[root@ipa- ~]# > > > > > >[root@ipa-~]# ipa user-show test --all --raw > > dn: uid=test,cn=users,cn=accounts,dc=$REAL > > uid: test > > givenname: test > > sn: test > > cn: test > > initials: TE > > homedirectory: /home/test > > gecos: Test > > loginshell: /bin/bash > > krbcanonicalname: test@$REALM.COM > > krbprincipalname: kpradeep@$REALM.COM > > uidnumber: 5708 > > gidnumber: 4141 > > sshpubkeyfp: > > nsaccountlock: FALSE > > has_password: TRUE > > has_keytab: TRUE > > displayName: Test > > ipaNTSecurityIdentifier: S-1-5-21-3258431096-680571367-3483437258-1708 > > ipaSshPubKey: <key> > > ipaUniqueID: <id> > > krbExtraData: <data> > > krbLastAdminUnlock: 20231130174441Z > > krbLastPwdChange: 20231130174540Z > > krbLoginFailedCount: 0 > > krbPasswordExpiration: 20240228174540Z > > krbTicketFlags: 128 > > memberof: cn=admin,cn=groups,cn=accounts,dc=$real > > memberof: cn=ipausers,cn=groups,cn=accounts,dc=$real > > memberofindirect: > > >ipaUniqueID=8c81c2c6-8f6b-11ee-b685-a68c8b95f346,cn=sudorules,cn=sudo,dc=$real > > mepManagedEntry: cn=test,cn=groups,cn=accounts,dc=$real > > objectClass: top > > objectClass: person > > objectClass: organizationalperson > > objectClass: inetorgperson > > objectClass: inetuser > > objectClass: posixaccount > > objectClass: krbprincipalaux > > objectClass: krbticketpolicyaux > > objectClass: ipaobject > > objectClass: ipasshuser > > objectClass: ipaSshGroupOfPubKeys > > objectClass: mepOriginEntry > > objectClass: ipantuserattrs > > > > > >[root@ipa- ~]# ipa idrange-find --all --raw > >---------------- > >2 ranges matched > >---------------- > > dn: cn=$REALM_id_range,cn=ranges,cn=etc,dc=$real > > cn: $REALM_id_range > > ipabaseid: 5000 > > ipaidrangesize: 1995001 > > ipabaserid: 1000 > > ipasecondarybaserid: 100000000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > > dn: cn=$REALM_subid_range,cn=ranges,cn=etc,dc=$realm > > cn: $REALM_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2145488647 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > >---------------------------- > >Number of entries returned 2 > >---------------------------- > >[root@ipa ~]# > > > >On Tue, Nov 28, 2023 at 4:58 PM Pradeep KNS <[email protected]> > >wrote: > > > >> Thanks a lot and I will Go through it. > >> > >> On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <[email protected]> > >> wrote: > >> > >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >ok but in my case i don't use AD,Windows authentication or replica > etc, > >>> >just the centralised authentication system all are redhat os installed > >>> >servers. > >>> >In this case also i need to create a base RID? > >>> > >>> Yes. You keep ignoring my references to previous discussions. > >>> > >>> You will not get it working without proper SIDs because we require PAC > >>> presence to protect against Kerberos impersonation. This is not a > >>> theoretical probability anymore since November 2022 Microsoft security > >>> updates. The same attacks apply to all Kerberos environments and > current > >>> way of protecting against them is to utilize MS-PAC buffers with > >>> appropriate signatures and checksums. PAC buffers require use of SIDs > to > >>> address objects and that is what we enforce now. > >>> > >>> If you still want to know details, I'd suggest to watch at least the > two > >>> talks we gave at SambaXP past few years: > >>> > >>> - "Kerberos" by Andrew Bartlett > >>> > >>> > https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf > >>> > >>> - Samba AD / MIT Kerberos: path out of experimental by me and Andreas > >>> > >>> > https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schneider_sXP23_SambaAD_Kerberos.pdf > >>> https://youtu.be/0_cdYuIYw0o > >>> > >>> While these talk about Samba AD, the changes went to both Samba and > >>> FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory > too). > >>> > >>> So, look at the KCS I gave, understand how to add RID bases to your new > >>> ID range and fix your problem through that. > >>> > >>> > > >>> >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy < > [email protected]> > >>> >wrote: > >>> > > >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >Alexander, > >>> >> > > >>> >> >Thanks for that document.Bit of that i did it but it dint worked > looks > >>> >> like > >>> >> >i might followed some wrong steps. > >>> >> > > >>> >> >My default id range mentioned below > >>> >> >ipa idrange-find --all --raw > >>> >> >---------------- > >>> >> >2 ranges matched > >>> >> >---------------- > >>> >> > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX > >>> >> > cn: REALM_id_range > >>> >> > ipabaseid: 771000000 > >>> >> > ipaidrangesize: 200000 > >>> >> > ipabaserid: 1000 > >>> >> > ipasecondarybaserid: 100000000 > >>> >> > iparangetype: ipa-local > >>> >> > objectclass: top > >>> >> > objectclass: ipaIDrange > >>> >> > objectclass: ipaDomainIDRange > >>> >> > > >>> >> > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX > >>> >> > cn: REALM_subid_range > >>> >> > ipabaseid: 2147483648 > >>> >> > ipaidrangesize: 2147352576 > >>> >> > ipabaserid: 2147283648 > >>> >> > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > >>> >> > iparangetype: ipa-ad-trust > >>> >> > objectclass: top > >>> >> > objectclass: ipaIDrange > >>> >> > objectclass: ipaTrustedADDomainRange > >>> >> > > >>> >> >################################## > >>> >> >Manually created ID range > >>> >> > > >>> >> >[root@ipa-mum1 ~]# ipa idrange-find --all --raw > >>> >> >---------------- > >>> >> >3 ranges matched > >>> >> >---------------- > >>> >> > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX > >>> >> > cn: REALM_id_new_range > >>> >> > ipabaseid: 1000 > >>> >> > ipaidrangesize: 200000 > >>> >> > iparangetype: ipa-local > >>> >> > objectclass: ipaIDrange > >>> >> > objectclass: ipadomainidrange > >>> >> > >>> >> You created a new ID range but this range has no RID bases. > Therefore, > >>> >> the range cannot be used for SID assignment. > >>> >> > >>> >> The KCS article has a section about RID bases and how to choose > them, > >>> >> please follow that. > >>> >> > >>> >> > > >>> >> >Then i created the user name called test user post it dint created > >>> >> expected > >>> >> >user attribute > >>> >> > > >>> >> >root@ipa~]#ipa user-add testuser --first=Test --last=User > -uid=5189 > >>> >> >--gidnumber=4141 --password > >>> >> >root@ipa ~]# ipa user-show testuser --all > >>> >> > dn: uid=testuser,cn=users,cn=accounts,dc=real > >>> >> > User login: testuser > >>> >> > First name: Test > >>> >> > Last name: User > >>> >> > Full name: Test User > >>> >> > Display name: Testuser > >>> >> > Initials: TU > >>> >> > Home directory: /home/testuser > >>> >> > GECOS: Test User > >>> >> > Login shell: /bin/bash > >>> >> > Principal name: [email protected] > >>> >> > Principal alias: [email protected] > >>> >> > User password expiration: 20231124144147Z > >>> >> > UID: 5189 > >>> >> > GID: 4141 > >>> >> > Account disabled: False > >>> >> > Preserved user: False > >>> >> > Password: True > >>> >> > Member of groups: ipausers > >>> >> > Kerberos keys available: True > >>> >> > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 > >>> >> > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= > >>> >> > krblastadminunlock: 20231124144147Z > >>> >> > krblastpwdchange: 20231124144147Z > >>> >> > krbloginfailedcount: 0 > >>> >> > mepmanagedentry: > cn=testuser,cn=groups,cn=accounts,dc=example,dc=com > >>> >> > objectclass: top, person, organizationalperson, inetorgperson, > >>> inetuser, > >>> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, > >>> ipasshuser, > >>> >> >ipaSshGroupOfPubKeys, mepOriginEntry > >>> >> > > >>> >> >The above method followed but after creating another id range > >>> manually, I > >>> >> >don't know where I missed post creation of ranges, for somehow it > >>> didn't > >>> >> >work. That's why I followed that generic method creating users and > >>> >> >modifying it manually. > >>> >> >PLease suggest me. > >>> >> > > >>> >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS < > >>> [email protected]> > >>> >> >wrote: > >>> >> > > >>> >> >> Thanks will go through it. > >>> >> >> > >>> >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy < > >>> [email protected]> > >>> >> >> wrote: > >>> >> >> > >>> >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >>> >Could you please help me with those threads here to regenerate > >>> sid’s. > >>> >> >>> > >>> >> >>> https://access.redhat.com/articles/7027037 > >>> >> >>> > >>> >> >>> > > >>> >> >>> > > >>> >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy < > >>> >> [email protected]> > >>> >> >>> >wrote: > >>> >> >>> > > >>> >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >>> >> >Yeah, > >>> >> >>> >> >But my default id range starts with 770000 but all my > existing > >>> >> >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 > >>> like > >>> >> >>> this. > >>> >> >>> >> >Here I am facing an issue. > >>> >> >>> >> > > >>> >> >>> >> >That's why I am creating users with default id range and > then > >>> >> later I > >>> >> >>> am > >>> >> >>> >> >modifying it via uid's as per my infrastructure then > >>> ipantuserattrs > >>> >> >>> >> created > >>> >> >>> >> >and I am able to authenticate with password. > >>> >> >>> >> > >>> >> >>> >> This is wrong. > >>> >> >>> >> > >>> >> >>> >> > > >>> >> >>> >> >Can you suggest to me that with this setup i can easily > handle > >>> >> >>> 350Users > >>> >> >>> >> for > >>> >> >>> >> >around 400 servers across different different locations with > >>> cache > >>> >> of > >>> >> >>> >> >storing on ipa clients. > >>> >> >>> >> > >>> >> >>> >> As I already said in other threads, create additional ID > range > >>> that > >>> >> >>> >> covers your 4-digit IDs, then re-run SID generation to make > sure > >>> >> those > >>> >> >>> >> users get proper SIDs. > >>> >> >>> >> > >>> >> >>> >> This is covered in the KCS. > >>> >> >>> >> > >>> >> >>> >> > > >>> >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < > >>> >> >>> [email protected]> > >>> >> >>> >> >wrote: > >>> >> >>> >> > > >>> >> >>> >> >> Please don't drop mailing list. > >>> >> >>> >> >> > >>> >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >>> >> >> >Hey Alexander, > >>> >> >>> >> >> > > >>> >> >>> >> >> >Thanks For the Reply. > >>> >> >>> >> >> > > >>> >> >>> >> >> >But in my case i have fixed it by recreating the user on > >>> Ipa web > >>> >> >>> UI and > >>> >> >>> >> >> >observing ipantuserattrs created password logins are > working > >>> >> fine. > >>> >> >>> >> >> > > >>> >> >>> >> >> >But do I face any issues if I try to modify the base id > >>> range > >>> >> >>> >> manually? as > >>> >> >>> >> >> >per redhat docs which is not recommended to modify. > >>> >> >>> >> >> > >>> >> >>> >> >> If you have re-created your user and that new one works, > it > >>> means > >>> >> >>> >> >> underlying infrastructure works properly. Older user > entries > >>> need > >>> >> >>> to be > >>> >> >>> >> >> fixed. Preferrably through a new ID range, if those > entries > >>> use > >>> >> IDs > >>> >> >>> >> >> which are outside of the main ID range. > >>> >> >>> >> >> > >>> >> >>> >> >> > > >>> >> >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based > >>> >> >>> >> >> >authentication.Ofcourse now also its working. > >>> >> >>> >> >> > > >>> >> >>> >> >> >My setup is that I have internal dns which is handled by > a > >>> >> puppet > >>> >> >>> and > >>> >> >>> >> >> >slowly will move it to a dedicated internal dns server so > >>> that's > >>> >> >>> why i > >>> >> >>> >> >> >opted for ipa installation without dns. > >>> >> >>> >> >> > > >>> >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < > >>> >> >>> [email protected] > >>> >> >>> >> > > >>> >> >>> >> >> >wrote: > >>> >> >>> >> >> > > >>> >> >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users > wrote: > >>> >> >>> >> >> >> >Hi Rob, > >>> >> >>> >> >> >> >Thank you for your email. I've identified the issue. > >>> >> >>> >> >> >> >When attempting to create a user using the 'ipa > user-add' > >>> >> >>> command > >>> >> >>> >> and > >>> >> >>> >> >> >> >defining the UID and GID according to my > specifications, > >>> the > >>> >> UID > >>> >> >>> >> falls > >>> >> >>> >> >> >> >within the 4-digit range, for instance, 4141. The > >>> >> >>> >> >> >> >IPA IDs range during installation was set to 770000. > >>> Users > >>> >> >>> created > >>> >> >>> >> >> within > >>> >> >>> >> >> >> >this range are accepted with their passwords. However, > >>> users > >>> >> >>> created > >>> >> >>> >> >> with > >>> >> >>> >> >> >> >UIDs like 4141 or 4142 encounter issues. > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >Looks like attributes, were not creating > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >objectclass: top, person, organizationalperson, > >>> >> inetorgperson, > >>> >> >>> >> >> inetuser, > >>> >> >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, > >>> ipaobject, > >>> >> >>> >> >> ipasshuser, > >>> >> >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >If i mention uid and gid using ipa user-add command > >>> >> >>> >> >> >> >ipantuserattrs is not getting create. > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >I tried to modify default range but it dint happened. > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> See my answers in a parallel thread 'kinit fails on > >>> freeipa > >>> >> >>> master: > >>> >> >>> >> File > >>> >> >>> >> >> >> or directory not found'. > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < > >>> >> >>> [email protected] > >>> >> >>> >> > > >>> >> >>> >> >> >> wrote: > >>> >> >>> >> >> >> > > >>> >> >>> >> >> >> >> Pradeep KNS wrote: > >>> >> >>> >> >> >> >> > Hi, > >>> >> >>> >> >> >> >> > I have installed an ipa with internal dns.After > >>> >> installing > >>> >> >>> >> updated > >>> >> >>> >> >> >> >> > entries on dns as well. > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > My main criteria is to communicate with ipa > clients > >>> with > >>> >> ssh > >>> >> >>> >> >> keybased > >>> >> >>> >> >> >> >> > authentication which is working fine. > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > Today i tot of i want to test with password based > >>> >> >>> authentication > >>> >> >>> >> >> which > >>> >> >>> >> >> >> >> > is not happening.I dont know where i am missing > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > [[email protected] <mailto:[email protected]>]# ipa > >>> >> --version > >>> >> >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 > >>> >> >>> >> >> >> >> > [[email protected] <mailto:[email protected]>]# > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS > >>> TRIGGERED BY > >>> >> THE > >>> >> >>> >> >> FOLLOWING > >>> >> >>> >> >> >> >> > BACKTRACE: > >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> >>> [tgt_req_child] > >>> >> >>> >> >> >> >> > (0x1000): [RID#15] Password was expired > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> The user's password is expired. > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> IPA intends that only the end-user knows their > >>> password. So > >>> >> >>> if it > >>> >> >>> >> is > >>> >> >>> >> >> set > >>> >> >>> >> >> >> >> or reset by an administrator the user will need to > >>> change > >>> >> it. > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> Is the user not prompted to reset it? > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> rob > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> >>> >> >> [sss_krb5_responder] > >>> >> >>> >> >> >> >> > (0x4000): [RID#15] Got question [password]. > >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> >>> >> [map_krb5_error] > >>> >> >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic > error > >>> (see > >>> >> >>> >> e-text)] > >>> >> >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE > >>> >> >>> >> >> >> >> > ********************************* > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > ssh log > >>> >> >>> >> >> >> >> > > >>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > >>> >> http://test-example.com> > >>> >> >>> >> >> >> sshd[11586]: > >>> >> >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; > logname= > >>> >> uid=0 > >>> >> >>> >> euid=0 > >>> >> >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh > >>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > >>> >> http://test-example.com> > >>> >> >>> >> >> >> sshd[11586]: > >>> >> >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 > >>> (System > >>> >> >>> error) > >>> >> >>> >> >> >> >> > Nov 23 19:33:18test-example.com < > >>> >> http://18test-example.com> > >>> >> >>> >> >> >> sshd[11584]: > >>> >> >>> >> >> >> >> > error: PAM: Authentication failure for harsh from > >>> >> 10.10.1.1 > >>> >> >>> >> >> >> >> > Nov 23 19:33:20 test-example.com < > >>> >> http://test-example.com> > >>> >> >>> >> >> >> sshd[11584]: > >>> >> >>> >> >> >> >> > Connection closed by authenticating user harsh > >>> 10.10.1.1 > >>> >> >>> port > >>> >> >>> >> 47724 > >>> >> >>> >> >> >> >> > [preauth] > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> -- > >>> >> >>> >> >> >> / Alexander Bokovoy > >>> >> >>> >> >> >> Sr. Principal Software Engineer > >>> >> >>> >> >> >> Security / Identity Management Engineering > >>> >> >>> >> >> >> Red Hat Limited, Finland > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> > >>> >> >>> >> >> > >>> >> >>> >> >> > >>> >> >>> >> >> > >>> >> >>> >> >> -- > >>> >> >>> >> >> / Alexander Bokovoy > >>> >> >>> >> >> Sr. Principal Software Engineer > >>> >> >>> >> >> Security / Identity Management Engineering > >>> >> >>> >> >> Red Hat Limited, Finland > >>> >> >>> >> >> > >>> >> >>> >> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> -- > >>> >> >>> >> / Alexander Bokovoy > >>> >> >>> >> Sr. Principal Software Engineer > >>> >> >>> >> Security / Identity Management Engineering > >>> >> >>> >> Red Hat Limited, Finland > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> > >>> >> >>> > >>> >> >>> > >>> >> >>> > >>> >> >>> -- > >>> >> >>> / Alexander Bokovoy > >>> >> >>> Sr. Principal Software Engineer > >>> >> >>> Security / Identity Management Engineering > >>> >> >>> Red Hat Limited, Finland > >>> >> >>> > >>> >> >>> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> / Alexander Bokovoy > >>> >> Sr. Principal Software Engineer > >>> >> Security / Identity Management Engineering > >>> >> Red Hat Limited, Finland > >>> >> > >>> >> > >>> > >>> > >>> > >>> > >>> -- > >>> / Alexander Bokovoy > >>> Sr. Principal Software Engineer > >>> Security / Identity Management Engineering > >>> Red Hat Limited, Finland > >>> > >>> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
