Yeah,
But my default id range starts with 770000 but all my existing
infrastructure uid's are within 4 digits like 4147,8921,9756 like this.
Here I am facing an issue.
That's why I am creating users with default id range and then later I am
modifying it via uid's as per my infrastructure then ipantuserattrs created
and I am able to authenticate with password.
Can you suggest to me that with this setup i can easily handle 350Users for
around 400 servers across different different locations with cache of
storing on ipa clients.
As I already said in other threads, create additional ID range that
covers your 4-digit IDs, then re-run SID generation to make sure those
users get proper SIDs.
This is covered in the KCS.
On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> Please don't drop mailing list.
>
> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >Hey Alexander,
> >
> >Thanks For the Reply.
> >
> >But in my case i have fixed it by recreating the user on Ipa web UI and
> >observing ipantuserattrs created password logins are working fine.
> >
> >But do I face any issues if I try to modify the base id range manually? as
> >per redhat docs which is not recommended to modify.
>
> If you have re-created your user and that new one works, it means
> underlying infrastructure works properly. Older user entries need to be
> fixed. Preferrably through a new ID range, if those entries use IDs
> which are outside of the main ID range.
>
> >
> >Also on ipa 4.11 they support dedicated ssh key based
> >authentication.Ofcourse now also its working.
> >
> >My setup is that I have internal dns which is handled by a puppet and
> >slowly will move it to a dedicated internal dns server so that's why i
> >opted for ipa installation without dns.
> >
> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> >wrote:
> >
> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
> >> >Hi Rob,
> >> >Thank you for your email. I've identified the issue.
> >> >When attempting to create a user using the 'ipa user-add'
command and
> >> >defining the UID and GID according to my specifications, the UID falls
> >> >within the 4-digit range, for instance, 4141. The
> >> >IPA IDs range during installation was set to 770000. Users created
> within
> >> >this range are accepted with their passwords. However, users created
> with
> >> >UIDs like 4141 or 4142 encounter issues.
> >> >
> >> >Looks like attributes, were not creating
> >> >
> >> >objectclass: top, person, organizationalperson, inetorgperson,
> inetuser,
> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
> ipasshuser,
> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
> >> >
> >> >If i mention uid and gid using ipa user-add command
> >> >ipantuserattrs is not getting create.
> >> >
> >> >I tried to modify default range but it dint happened.
> >>
> >> See my answers in a parallel thread 'kinit fails on freeipa master:
File
> >> or directory not found'.
> >>
> >> >
> >> >
> >> >
> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden
<rcritten(a)redhat.com>
> >> wrote:
> >> >
> >> >> Pradeep KNS wrote:
> >> >> > Hi,
> >> >> > I have installed an ipa with internal dns.After installing
updated
> >> >> > entries on dns as well.
> >> >> >
> >> >> > My main criteria is to communicate with ipa clients with ssh
> keybased
> >> >> > authentication which is working fine.
> >> >> >
> >> >> > Today i tot of i want to test with password based
authentication
> which
> >> >> > is not happening.I dont know where i am missing
> >> >> >
> >> >> >
> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa
--version
> >> >> > VERSION: 4.10.1, API_VERSION: 2.251
> >> >> > [root(a)example.com <mailto:root@example.com>]#
> >> >> >
> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE
> FOLLOWING
> >> >> > BACKTRACE:
> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]]
[tgt_req_child]
> >> >> > (0x1000): [RID#15] Password was expired
> >> >>
> >> >> The user's password is expired.
> >> >>
> >> >> IPA intends that only the end-user knows their password. So if it
is
> set
> >> >> or reset by an administrator the user will need to change it.
> >> >>
> >> >> Is the user not prompted to reset it?
> >> >>
> >> >> rob
> >> >>
> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]]
> [sss_krb5_responder]
> >> >> > (0x4000): [RID#15] Got question [password].
> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]]
[map_krb5_error]
> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see
e-text)]
> >> >> > ********************** BACKTRACE DUMP ENDS HERE
> >> >> > *********************************
> >> >> >
> >> >> > ssh log
> >> >> >
> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
> >> sshd[11586]:
> >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0
euid=0
> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
> >> sshd[11586]:
> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error)
> >> >> > Nov 23
19:33:18test-example.com
<
http://18test-example.com>
> >> sshd[11584]:
> >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1
> >> >> > Nov 23 19:33:20
test-example.com
<
http://test-example.com>
> >> sshd[11584]:
> >> >> > Connection closed by authenticating user harsh 10.10.1.1 port
47724
> >> >> > [preauth]
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland