I have a user in our FreeIPA domain, whose password according to the applied policy (displayed in the user properties UI ) should have expired ~ 2 months ago, but it never did, nor did it force the user to reset it. The below LDAP user attributes show old data and all in accordance with the password policy. The user is still able to authenticate to the applications using LDAP connection against the FreeIPA servers. The krblastsuccessfulauth gets updated every time the user logs in. I assume if I force-reset the user’s password, it will go back to normal. However, I’d like to understand how to explain such a bizarre behavior and avoid it in the future.
User password expiration: 20190305034410Z
LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files transmitted with it to be protected, proprietary or privileged information intended solely for the use of the named recipient(s). Any disclosure of this material or the information contained herein, in whole or in part, to anyone outside of the intended recipient or affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of the information contained in it, unless that information is subsequently confirmed in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the recipient; any such communication violates company policy. If you are not the intended recipient, any disclosure, copying, distribution, or action taken or omitted in reliance on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
We're seeing some strange gid assignment behavior. When I run ipa group-add
on one ipa client I get gids in the expected range for my domain (8000-10000).
But when it is run on one of our IPA servers we get numbers like 108500 or 58500.
ipa idrange-find reports what I would expect everywhere:
# ipa idrange-find
3 ranges matched
Range name: AD.NWRA.COM_id_range
First Posix ID of the range: 20000
Number of IDs in the range: 20000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-XXXX
Range type: Active Directory domain range
Range name: legacy
First Posix ID of the range: 1000
Number of IDs in the range: 100
First RID of the corresponding RID range: 10000
First RID of the secondary RID range: 100010000
Range type: local domain range
Range name: NWRA.COM_id_range
First Posix ID of the range: 8000
Number of IDs in the range: 2000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Number of entries returned 3
No idea what else to look at.
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
We execute a script after any server creation that uses the FreeIPA API for adding the sever to the proper Hostgroup. As we already have the HBAC rules created with the hostgroups, the teams that should access to the servers are allowed automatically.