lejeczek via FreeIPA-users wrote:
On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
> wrote:
>> Hi guys
>>
>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>> '--uid' is
>> used.
>>
>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>> - would
>> anybody know?
> Hi,
>
> the ipantsecurityidentifier is typically added automatically by a
> plugin. But it needs an idrange which covers the UIDs and GIDs you want
> to add manually. You can add one with
>
> ipa idrange-add --type=ipa-local ......
>
> There are some mandatory options which will let you specify the start
> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
So, I failed to 'idrange-add' (I did not see '--type' is an argument
available) and I removed(successful clean uinstall) whole deployment and
installed anew with '--idstart' to match range of "old" IPA and now I
cannot "ssh"
...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
b209: 7 (Authentication failure)
Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob