10 a.m.
Hi guys
My IPA does not inject ipantsecurityidentifier (maybe more?)
when '--uid' is used.
Why is that and how to have or make IPA do
'ipantsecurityidentifier' - would anybody know?
many thanks, L.
10:36 a.m.
New subject: ipantsecurityidentifier missing if users created with --uid
On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys
My IPA does not inject ipantsecurityidentifier (maybe more?) when '--uid' is
used.
Why is that and how to have or make IPA do 'ipantsecurityidentifier' - would
anybody know?
Hi,
the ipantsecurityidentifier is typically added automatically by a
plugin. But it needs an idrange which covers the UIDs and GIDs you want
to add manually. You can add one with
ipa idrange-add --type=ipa-local ......
There are some mandatory options which will let you specify the start
and size of the ranges for the POSIX IDs and the RID part of the SIDs.
HTH
bye,
Sumit
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1:41 p.m.
New subject: ipantsecurityidentifier missing if users created with --uid
On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
wrote:
> Hi guys
>
> My IPA does not inject ipantsecurityidentifier (maybe more?) when '--uid' is
> used.
>
> Why is that and how to have or make IPA do 'ipantsecurityidentifier' - would
> anybody know?
Hi,
the ipantsecurityidentifier is typically added automatically by a
plugin. But it needs an idrange which covers the UIDs and GIDs you want
to add manually. You can add one with
ipa idrange-add --type=ipa-local ......
There are some mandatory options which will let you specify the start
and size of the ranges for the POSIX IDs and the RID part of the SIDs.
So, I failed
to 'idrange-add' (I did not see '--type' is an
argument available) and I removed(successful clean uinstall)
whole deployment and installed anew with '--idstart' to
match range of "old" IPA and now I cannot "ssh"
...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth):
received for user b209: 7 (Authentication failure)
Samba clients can authenticate, IPA's UI also but not 'ssh',
regardless if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst
thanks, L
HTH
bye,
Sumit
> many thanks, L.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1:53 p.m.
New subject: ipantsecurityidentifier missing if users created with --uid
lejeczek via FreeIPA-users wrote:
On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
> wrote:
>> Hi guys
>>
>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>> '--uid' is
>> used.
>>
>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>> - would
>> anybody know?
> Hi,
>
> the ipantsecurityidentifier is typically added automatically by a
> plugin. But it needs an idrange which covers the UIDs and GIDs you want
> to add manually. You can add one with
>
> ipa idrange-add --type=ipa-local ......
>
> There are some mandatory options which will let you specify the start
> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
So, I failed to 'idrange-add' (I did not see '--type' is an argument
available) and I removed(successful clean uinstall) whole deployment and
installed anew with '--idstart' to match range of "old" IPA and now I
cannot "ssh"
...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
b209: 7 (Authentication failure)
Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob
2:15 p.m.
New subject: ipantsecurityidentifier missing if users created with --uid
On 12/03/2021 19:53, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
>
> On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
>> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
>> wrote:
>>> Hi guys
>>>
>>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>>> '--uid' is
>>> used.
>>>
>>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>>> - would
>>> anybody know?
>> Hi,
>>
>> the ipantsecurityidentifier is typically added automatically by a
>> plugin. But it needs an idrange which covers the UIDs and GIDs you want
>> to add manually. You can add one with
>>
>> ipa idrange-add --type=ipa-local ......
>>
>> There are some mandatory options which will let you specify the start
>> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
> So, I failed to 'idrange-add' (I did not see '--type' is an argument
> available) and I removed(successful clean uinstall) whole deployment and
> installed anew with '--idstart' to match range of "old" IPA and now
I
> cannot "ssh"
>
> ...
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
> b209: 7 (Authentication failure)
>
> Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
> if '--uid' is used for 'user-add' or not.
> Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob
Apologies.
Just two masters between themselves, yes both un/re-installed.
Yes, I can get a ticket for the user (in root's interactive
shell) and can 'ssh' with that ticket, between the masters.
'ssh' with password does seem to be the problem.
regards, L
5:41 p.m.
New subject: ipantsecurityidentifier missing if users created with --uid
On 12/03/2021 19:53, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
>
> On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
>> On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
>> wrote:
>>> Hi guys
>>>
>>> My IPA does not inject ipantsecurityidentifier (maybe more?) when
>>> '--uid' is
>>> used.
>>>
>>> Why is that and how to have or make IPA do 'ipantsecurityidentifier'
>>> - would
>>> anybody know?
>> Hi,
>>
>> the ipantsecurityidentifier is typically added automatically by a
>> plugin. But it needs an idrange which covers the UIDs and GIDs you want
>> to add manually. You can add one with
>>
>> ???????? ipa idrange-add --type=ipa-local ......
>>
>> There are some mandatory options which will let you specify the start
>> and size of the ranges for the POSIX IDs and the RID part of the SIDs.
> So, I failed to 'idrange-add' (I did not see '--type' is an argument
> available) and I removed(successful clean uinstall) whole deployment and
> installed anew with '--idstart' to match range of "old" IPA and now
I
> cannot "ssh"
>
> ...
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
> Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
> b209: 7 (Authentication failure)
>
> Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
> if '--uid' is used for 'user-add' or not.
> Hmm, it is puzzling at best and total mystery at worst
Details are important.
Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?
Can you kinit as b209?
rob
I cannot tell if it's relevant but I see in krb5_child.log:
...
(2021-03-12 23:24:35): [krb5_child[6104]] [get_and_save_tgt]
(0x0020): 1720: [-1765328361][Password has expired]
(2021-03-12 23:27:35): [krb5_child[6496]] [get_and_save_tgt]
(0x0020): 1720: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:35): [krb5_child[6496]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:40): [krb5_child[6509]] [get_and_save_tgt]
(0x0020): 1720: [-1765328353][Decrypt integrity check failed]
(2021-03-12 23:27:40): [krb5_child[6509]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed
...
also:
-> $ ipa user-show me --all
?? User password expiration: 20210312232815Z
which I reset with:
-> $ ipa user-mod me --password-expiration=20310312232428Z
but then when I re/set the password
-> $ ipa passwd me
-> $ ipa user-show me --all
?? User password expiration: 20210312233219Z <= gets reset?
But even with '20310312232428Z' showing I still cannot ssh.
In case 'sssd_implicit_files.log' may matter:
...
(2021-03-12 23:37:27): [be[implicit_files]]
[sbus_issue_request_done] (0x0040):
sssd.dataprovider.hostHandler: Error [1432158215]: DP target
is not configured
-> $ ipa pwpolicy-show
?? Group: global_policy
?? Max lifetime (days): 20000
?? Min lifetime (hours): 1
?? History size: 0
?? Character classes: 0
?? Min length: 8
?? Max failures: 6
?? Failure reset interval: 60
?? Lockout duration: 600
1134
days inactive
1134
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
lejeczek -
Rob Crittenden -
Sumit Bose