On 12/03/2021 19:53, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
> On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
>> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
>>> Hi guys
>>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>>> '--uid' is
>>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>>> - would
>>> anybody know?
>> the ipantsecurityidentifier is typically added automatically by a
>> plugin. But it needs an idrange which covers the UIDs and GIDs you want
>> to add manually. You can add one with
>> ipa idrange-add --type=ipa-local ......
>> There are some mandatory options which will let you specify the start
>> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
> So, I failed to 'idrange-add' (I did not see '--type' is an argument
> available) and I removed(successful clean uinstall) whole deployment and
> installed anew with '--idstart' to match range of "old" IPA and now
> cannot "ssh"
> Mar 12 19:19:51 drunk sshd: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
> Mar 12 19:19:51 drunk sshd: pam_sss(sshd:auth): received for user
> b209: 7 (Authentication failure)
> Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
> if '--uid' is used for 'user-add' or not.
> Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
Can you kinit as b209?
Just two masters between themselves, yes both un/re-installed.
Yes, I can get a ticket for the user (in root's interactive
shell) and can 'ssh' with that ticket, between the masters.
'ssh' with password does seem to be the problem.