On 12/03/2021 19:53, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
>
> On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
>> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
>> wrote:
>>> Hi guys
>>>
>>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>>> '--uid' is
>>> used.
>>>
>>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>>> - would
>>> anybody know?
>> Hi,
>>
>> the ipantsecurityidentifier is typically added automatically by a
>> plugin. But it needs an idrange which covers the UIDs and GIDs you want
>> to add manually. You can add one with
>>
>> ipa idrange-add --type=ipa-local ......
>>
>> There are some mandatory options which will let you specify the start
>> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
> So, I failed to 'idrange-add' (I did not see '--type' is an argument
> available) and I removed(successful clean uinstall) whole deployment and
> installed anew with '--idstart' to match range of "old" IPA and now
I
> cannot "ssh"
>
> ...
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
> b209: 7 (Authentication failure)
>
> Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
> if '--uid' is used for 'user-add' or not.
> Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob
Apologies.
Just two masters between themselves, yes both un/re-installed.
Yes, I can get a ticket for the user (in root's interactive
shell) and can 'ssh' with that ticket, between the masters.
'ssh' with password does seem to be the problem.
regards, L