Uhm.. I had a similar problem recently (but not identical), and it smells as a missing SID problem.
You can try:
ipa user-show admin --all | grep -i ipantsecurityidentifier
You should see the SID for user admin. Now try the same with your account:
ipa user-show <yourusername> --all | grep -i ipantsecurityidentifier
If nothing appears your user (and probably many other) is missing SID. If this is the case you can try:
ipa config-mod --enable-sid --add-sids
HTH
Ciao, gc
On 31/01/2024 16:18, Steve Berg via FreeIPA-users wrote:
For a few weeks now I've been seeing a problem getting authenticated to my ipa domain. I can get command line and web UI stuff done by using the admin user but if I get a ticket using my account which is in the admins group I get the following on the web UI:
Your session has expired. Please log in again.
On the command line any ipa commands I've tried so far give me:
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Getting a ticket as admin on command line lets me run ipa commands with no problem. I think I've got all pertinent certificates loaded up properly. Gonna try a reboot on one of the servers shortly. I have 4 servers on r different vlans, replication between seems to be working properly.
I think the problem is most of the user ID's we use on this domain are not in the ID range configured. We let the install choose a default range when we first set this up. Most of our users have a UID based on their EDIPI # which is a 32-bit ID assigned when a user first gets a DoD CAC. They're usually 10 digits long.
For instance the lowest EDIPI based UID we have currently is something like 1004201873 and the largest is 1658224121. (I made those but they're close to the actual UIDs.)
ipa idrange-find show me this, (did some masking of the info):
Range name: domain_id_range First Posix ID of the range: 824xxx000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000
Range name: domain_subid_range First Posix ID of the range: 214xxx3648 Number of IDs in the range: 214xxx2576 First RID of the corresponding RID range: 214xxx3648 Domain SID of the trusted domain: S-1-5-21-xxxxxx-83xx66-82xxx729 Range type: Active Directory domain range
Should I adjust the range that's already there or add a third that encompasses the likely range of numbers I'm gonna see in the future? I started to add a range with appropriate values but when it wanted the primary and secondary RID base values I was not sure how to figure that out or estimate.
-- //- Fixer of that which is broke -// //- Home =sberg@mississippi.com -// //- Sinners can repent, but stupid is forever. -//
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue