[Freeipa-users] Re: ipantsecurityidentifier missing if users created with --uid

On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote: > On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users > wrote: >> Hi guys >> >> My IPA does not inject ipantsecurityidentifier (maybe more?) when >> '--uid' is >> used. >> >> Why is that and how to have or make IPA do 'ipantsecurityidentifier' >> - would >> anybody know? > Hi, > > the ipantsecurityidentifier is typically added automatically by a > plugin. But it needs an idrange which covers the UIDs and GIDs you want > to add manually. You can add one with > >      ipa idrange-add --type=ipa-local ...... > > There are some mandatory options which will let you specify the start > and size of the ranges for the POSIX IDs and the RID part of the SIDs. So, I failed to 'idrange-add' (I did not see '--type' is an argument available) and I removed(successful clean uinstall) whole deployment and installed anew with '--idstart' to match range of "old" IPA and now I cannot "ssh" ... Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209 Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user b209: 7 (Authentication failure) Samba clients can authenticate, IPA's UI also but not 'ssh', regardless if '--uid' is used for 'user-add' or not. Hmm, it is puzzling at best and total mystery at worst