Thanks Alexander,
Appreciate your help and things are working as expected.

On Fri, Dec 1, 2023 at 1:13 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On Пят, 01 сне 2023, Pradeep KNS wrote:
>Hey Alexander,
>
>I have tried installing a new IPA server with my expected ranges on my new
>site and its working fine.Thanks for the document.
>
>I have observed a couple of errors. POSIX ID's 4248,4141,4121,4258..etc.
>all are my infra group id's.
>
>
>[30/Nov/2023:05:17:36.931522914 -0500] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[30/Nov/2023:05:17:36.933841900 -0500] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 199]: Sidgen task finished [0].
>[30/Nov/2023:05:17:41.443256202 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under ou=sudoers,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.449472986 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under cn=ng, cn=compat,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.456705946 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under cn=computers,
>cn=compat,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.457666134 -0500] - ERR - schema-compat-plugin -
>Finished plugin initialization.
>[30/Nov/2023:05:27:02.337803787 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4141] into
>an unused SID.

4141 is below base ID for the only ID range that could be used (starting
with 5000). You need to add a range similar to your $REALM_id_range but
which covers all these POSIX UID/GIDs.

>[30/Nov/2023:05:27:02.338927487 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:06:03:06.173948392 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4121] into
>an unused SID.

Same here.

>[30/Nov/2023:06:03:06.174922473 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:06:22:36.616707461 -0500] - ERR - rid_to_sid_with_check -
>[file ipa_sidgen_common.c, line 384]: SID
>[S-1-5-21-3258431096-680571367-3483437258-16054] is already used.

This SID is already used by some other object.

>[30/Nov/2023:06:24:53.185373410 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4258] into
>an unused SID.

Same here -- 4258 is below 5000.

>[30/Nov/2023:06:24:53.186107898 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:07:07:48.738323141 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.

Same here.

>[30/Nov/2023:07:07:48.739492958 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:08:10:33.205867886 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.
>[30/Nov/2023:08:10:33.206759596 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:08:33:53.787156179 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.
>[30/Nov/2023:08:33:53.788186638 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[root@ipa- ~]#
>
>
>[root@ipa-~]# ipa user-show test --all --raw
>  dn: uid=test,cn=users,cn=accounts,dc=$REAL
>  uid: test
>  givenname: test
>  sn: test
>  cn: test
>  initials: TE
>  homedirectory: /home/test
>  gecos: Test
>  loginshell: /bin/bash
>  krbcanonicalname: test@$REALM.COM
>  krbprincipalname: kpradeep@$REALM.COM
>  uidnumber: 5708
>  gidnumber: 4141
>  sshpubkeyfp:
>  nsaccountlock: FALSE
>  has_password: TRUE
>  has_keytab: TRUE
>  displayName: Test
>  ipaNTSecurityIdentifier: S-1-5-21-3258431096-680571367-3483437258-1708
>  ipaSshPubKey: <key>
>  ipaUniqueID: <id>
>  krbExtraData: <data>
>  krbLastAdminUnlock: 20231130174441Z
>  krbLastPwdChange: 20231130174540Z
>  krbLoginFailedCount: 0
>  krbPasswordExpiration: 20240228174540Z
>  krbTicketFlags: 128
>  memberof: cn=admin,cn=groups,cn=accounts,dc=$real
>  memberof: cn=ipausers,cn=groups,cn=accounts,dc=$real
>  memberofindirect:
>ipaUniqueID=8c81c2c6-8f6b-11ee-b685-a68c8b95f346,cn=sudorules,cn=sudo,dc=$real
>  mepManagedEntry: cn=test,cn=groups,cn=accounts,dc=$real
>  objectClass: top
>  objectClass: person
>  objectClass: organizationalperson
>  objectClass: inetorgperson
>  objectClass: inetuser
>  objectClass: posixaccount
>  objectClass: krbprincipalaux
>  objectClass: krbticketpolicyaux
>  objectClass: ipaobject
>  objectClass: ipasshuser
>  objectClass: ipaSshGroupOfPubKeys
>  objectClass: mepOriginEntry
>  objectClass: ipantuserattrs
>
>
>[root@ipa- ~]# ipa idrange-find --all --raw
>----------------
>2 ranges matched
>----------------
>  dn: cn=$REALM_id_range,cn=ranges,cn=etc,dc=$real
>  cn: $REALM_id_range
>  ipabaseid: 5000
>  ipaidrangesize: 1995001
>  ipabaserid: 1000
>  ipasecondarybaserid: 100000000
>  iparangetype: ipa-local
>  objectclass: top
>  objectclass: ipaIDrange
>  objectclass: ipaDomainIDRange
>
>  dn: cn=$REALM_subid_range,cn=ranges,cn=etc,dc=$realm
>  cn: $REALM_subid_range
>  ipabaseid: 2147483648
>  ipaidrangesize: 2147352576
>  ipabaserid: 2145488647
>  ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
>  iparangetype: ipa-ad-trust
>  objectclass: top
>  objectclass: ipaIDrange
>  objectclass: ipaTrustedADDomainRange
>----------------------------
>Number of entries returned 2
>----------------------------
>[root@ipa ~]#
>
>On Tue, Nov 28, 2023 at 4:58 PM Pradeep KNS <kns.pradeep@alpha-grep.com>
>wrote:
>
>> Thanks a lot and I will Go through it.
>>
>> On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <abokovoy@redhat.com>
>> wrote:
>>
>>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >ok but in my case i don't use AD,Windows authentication or replica etc,
>>> >just the centralised authentication system all are redhat os installed
>>> >servers.
>>> >In this case also i need to create a base RID?
>>>
>>> Yes. You keep ignoring my references to previous discussions.
>>>
>>> You will not get it working without proper SIDs because we require PAC
>>> presence to protect against Kerberos impersonation. This is not a
>>> theoretical probability anymore since November 2022 Microsoft security
>>> updates. The same attacks apply to all Kerberos environments and current
>>> way of protecting against them is to utilize MS-PAC buffers with
>>> appropriate signatures and checksums. PAC buffers require use of SIDs to
>>> address objects and that is what we enforce now.
>>>
>>> If you still want to know details, I'd suggest to watch at least the two
>>> talks we gave at SambaXP past few years:
>>>
>>>   - "Kerberos" by Andrew Bartlett
>>>
>>> https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf
>>>
>>>   - Samba AD / MIT Kerberos: path out of experimental by me and Andreas
>>>
>>> https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schneider_sXP23_SambaAD_Kerberos.pdf
>>>   https://youtu.be/0_cdYuIYw0o
>>>
>>> While these talk about Samba AD, the changes went to both Samba and
>>> FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory too).
>>>
>>> So, look at the KCS I gave, understand how to add RID bases to your new
>>> ID range and fix your problem through that.
>>>
>>> >
>>> >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <abokovoy@redhat.com>
>>> >wrote:
>>> >
>>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >Alexander,
>>> >> >
>>> >> >Thanks for that document.Bit of that i did it but it dint worked looks
>>> >> like
>>> >> >i might followed some wrong steps.
>>> >> >
>>> >> >My default id range mentioned below
>>> >> >ipa idrange-find --all --raw
>>> >> >----------------
>>> >> >2 ranges matched
>>> >> >----------------
>>> >> >  dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX
>>> >> >  cn: REALM_id_range
>>> >> >  ipabaseid: 771000000
>>> >> >  ipaidrangesize: 200000
>>> >> >  ipabaserid: 1000
>>> >> >  ipasecondarybaserid: 100000000
>>> >> >  iparangetype: ipa-local
>>> >> >  objectclass: top
>>> >> >  objectclass: ipaIDrange
>>> >> >  objectclass: ipaDomainIDRange
>>> >> >
>>> >> >  dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX
>>> >> >  cn: REALM_subid_range
>>> >> >  ipabaseid: 2147483648
>>> >> >  ipaidrangesize: 2147352576
>>> >> >  ipabaserid: 2147283648
>>> >> >  ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
>>> >> >  iparangetype: ipa-ad-trust
>>> >> >  objectclass: top
>>> >> >  objectclass: ipaIDrange
>>> >> >  objectclass: ipaTrustedADDomainRange
>>> >> >
>>> >> >##################################
>>> >> >Manually created ID range
>>> >> >
>>> >> >[root@ipa-mum1 ~]#  ipa idrange-find --all --raw
>>> >> >----------------
>>> >> >3 ranges matched
>>> >> >----------------
>>> >> >  dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX
>>> >> >  cn: REALM_id_new_range
>>> >> >  ipabaseid: 1000
>>> >> >  ipaidrangesize: 200000
>>> >> >  iparangetype: ipa-local
>>> >> >  objectclass: ipaIDrange
>>> >> >  objectclass: ipadomainidrange
>>> >>
>>> >> You created a new ID range but this range has no RID bases. Therefore,
>>> >> the range cannot be used for SID assignment.
>>> >>
>>> >> The KCS article has a section about RID bases and how to choose them,
>>> >> please follow that.
>>> >>
>>> >> >
>>> >> >Then i created the user name called test user post it dint created
>>> >> expected
>>> >> >user attribute
>>> >> >
>>> >> >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189
>>> >> >--gidnumber=4141 --password
>>> >> >root@ipa ~]# ipa user-show  testuser --all
>>> >> >  dn: uid=testuser,cn=users,cn=accounts,dc=real
>>> >> >  User login: testuser
>>> >> >  First name: Test
>>> >> >  Last name: User
>>> >> >  Full name: Test User
>>> >> >  Display name: Testuser
>>> >> >  Initials: TU
>>> >> >  Home directory: /home/testuser
>>> >> >  GECOS: Test User
>>> >> >  Login shell: /bin/bash
>>> >> >  Principal name: testuser@REALM.COM
>>> >> >  Principal alias: testuser@REALM.COM
>>> >> >  User password expiration: 20231124144147Z
>>> >> >  UID: 5189
>>> >> >  GID: 4141
>>> >> >  Account disabled: False
>>> >> >  Preserved user: False
>>> >> >  Password: True
>>> >> >  Member of groups: ipausers
>>> >> >  Kerberos keys available: True
>>> >> >  ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346
>>> >> >  krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA=
>>> >> >  krblastadminunlock: 20231124144147Z
>>> >> >  krblastpwdchange: 20231124144147Z
>>> >> >  krbloginfailedcount: 0
>>> >> >  mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
>>> >> >  objectclass: top, person, organizationalperson, inetorgperson,
>>> inetuser,
>>> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
>>> ipasshuser,
>>> >> >ipaSshGroupOfPubKeys, mepOriginEntry
>>> >> >
>>> >> >The above method followed but after creating another id range
>>> manually, I
>>> >> >don't know where I missed post creation of ranges, for somehow it
>>> didn't
>>> >> >work. That's why I followed that generic method creating users and
>>> >> >modifying it manually.
>>> >> >PLease suggest me.
>>> >> >
>>> >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <
>>> kns.pradeep@alpha-grep.com>
>>> >> >wrote:
>>> >> >
>>> >> >> Thanks will go through it.
>>> >> >>
>>> >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <
>>> abokovoy@redhat.com>
>>> >> >> wrote:
>>> >> >>
>>> >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >>> >Could you please help me with those threads here to regenerate
>>> sid’s.
>>> >> >>>
>>> >> >>> https://access.redhat.com/articles/7027037
>>> >> >>>
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <
>>> >> abokovoy@redhat.com>
>>> >> >>> >wrote:
>>> >> >>> >
>>> >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >>> >> >Yeah,
>>> >> >>> >> >But my default id range starts with 770000 but all my existing
>>> >> >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756
>>> like
>>> >> >>> this.
>>> >> >>> >> >Here I am facing an issue.
>>> >> >>> >> >
>>> >> >>> >> >That's why I am creating users with default id range and then
>>> >> later I
>>> >> >>> am
>>> >> >>> >> >modifying it via uid's as per my infrastructure then
>>> ipantuserattrs
>>> >> >>> >> created
>>> >> >>> >> >and I am able to authenticate with password.
>>> >> >>> >>
>>> >> >>> >> This is wrong.
>>> >> >>> >>
>>> >> >>> >> >
>>> >> >>> >> >Can you suggest to me that with this setup i can easily handle
>>> >> >>> 350Users
>>> >> >>> >> for
>>> >> >>> >> >around 400 servers across different different locations with
>>> cache
>>> >> of
>>> >> >>> >> >storing on ipa clients.
>>> >> >>> >>
>>> >> >>> >> As I already said in other threads, create additional ID range
>>> that
>>> >> >>> >> covers your 4-digit IDs, then re-run SID generation to make sure
>>> >> those
>>> >> >>> >> users get proper SIDs.
>>> >> >>> >>
>>> >> >>> >> This is covered in the KCS.
>>> >> >>> >>
>>> >> >>> >> >
>>> >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <
>>> >> >>> abokovoy@redhat.com>
>>> >> >>> >> >wrote:
>>> >> >>> >> >
>>> >> >>> >> >> Please don't drop mailing list.
>>> >> >>> >> >>
>>> >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >>> >> >> >Hey Alexander,
>>> >> >>> >> >> >
>>> >> >>> >> >> >Thanks For the Reply.
>>> >> >>> >> >> >
>>> >> >>> >> >> >But in my case i have fixed it by recreating the user on
>>> Ipa web
>>> >> >>> UI and
>>> >> >>> >> >> >observing ipantuserattrs created password logins are working
>>> >> fine.
>>> >> >>> >> >> >
>>> >> >>> >> >> >But do I face any issues if I try to modify the base id
>>> range
>>> >> >>> >> manually? as
>>> >> >>> >> >> >per redhat docs which is not recommended to modify.
>>> >> >>> >> >>
>>> >> >>> >> >> If you have re-created your user and that new one works, it
>>> means
>>> >> >>> >> >> underlying infrastructure works properly. Older user entries
>>> need
>>> >> >>> to be
>>> >> >>> >> >> fixed. Preferrably through a new ID range, if those entries
>>> use
>>> >> IDs
>>> >> >>> >> >> which are outside of the main ID range.
>>> >> >>> >> >>
>>> >> >>> >> >> >
>>> >> >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based
>>> >> >>> >> >> >authentication.Ofcourse now also its working.
>>> >> >>> >> >> >
>>> >> >>> >> >> >My setup is that I have internal dns which is handled by a
>>> >> puppet
>>> >> >>> and
>>> >> >>> >> >> >slowly will move it to a dedicated internal dns server so
>>> that's
>>> >> >>> why i
>>> >> >>> >> >> >opted for  ipa installation without dns.
>>> >> >>> >> >> >
>>> >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <
>>> >> >>> abokovoy@redhat.com
>>> >> >>> >> >
>>> >> >>> >> >> >wrote:
>>> >> >>> >> >> >
>>> >> >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
>>> >> >>> >> >> >> >Hi Rob,
>>> >> >>> >> >> >> >Thank you for your email. I've identified the issue.
>>> >> >>> >> >> >> >When attempting to create a user using the 'ipa user-add'
>>> >> >>> command
>>> >> >>> >> and
>>> >> >>> >> >> >> >defining the UID and GID according to my specifications,
>>> the
>>> >> UID
>>> >> >>> >> falls
>>> >> >>> >> >> >> >within the 4-digit range, for instance, 4141. The
>>> >> >>> >> >> >> >IPA IDs range during installation was set to 770000.
>>> Users
>>> >> >>> created
>>> >> >>> >> >> within
>>> >> >>> >> >> >> >this range are accepted with their passwords. However,
>>> users
>>> >> >>> created
>>> >> >>> >> >> with
>>> >> >>> >> >> >> >UIDs like 4141 or 4142 encounter issues.
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >Looks like attributes, were not creating
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >objectclass: top, person, organizationalperson,
>>> >> inetorgperson,
>>> >> >>> >> >> inetuser,
>>> >> >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux,
>>> ipaobject,
>>> >> >>> >> >> ipasshuser,
>>> >> >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >If i mention uid and gid using ipa user-add command
>>> >> >>> >> >> >> >ipantuserattrs is not getting create.
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >I tried to modify default range but it dint happened.
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> See my answers in a parallel thread 'kinit fails on
>>> freeipa
>>> >> >>> master:
>>> >> >>> >> File
>>> >> >>> >> >> >> or directory not found'.
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <
>>> >> >>> rcritten@redhat.com
>>> >> >>> >> >
>>> >> >>> >> >> >> wrote:
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >> Pradeep KNS wrote:
>>> >> >>> >> >> >> >> > Hi,
>>> >> >>> >> >> >> >> > I have installed an ipa with internal dns.After
>>> >> installing
>>> >> >>> >> updated
>>> >> >>> >> >> >> >> > entries on dns as well.
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > My main criteria is to communicate with ipa clients
>>> with
>>> >> ssh
>>> >> >>> >> >> keybased
>>> >> >>> >> >> >> >> > authentication which is working fine.
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > Today i tot of i want to test with password based
>>> >> >>> authentication
>>> >> >>> >> >> which
>>> >> >>> >> >> >> >> > is not happening.I dont know where i am missing
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > [root@example.com <mailto:root@example.com>]# ipa
>>> >> --version
>>> >> >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251
>>> >> >>> >> >> >> >> > [root@example.com <mailto:root@example.com>]#
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS
>>> TRIGGERED BY
>>> >> THE
>>> >> >>> >> >> FOLLOWING
>>> >> >>> >> >> >> >> > BACKTRACE:
>>> >> >>> >> >> >> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> [tgt_req_child]
>>> >> >>> >> >> >> >> > (0x1000): [RID#15] Password was expired
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> The user's password is expired.
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> IPA intends that only the end-user knows their
>>> password. So
>>> >> >>> if it
>>> >> >>> >> is
>>> >> >>> >> >> set
>>> >> >>> >> >> >> >> or reset by an administrator the user will need to
>>> change
>>> >> it.
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> Is the user not prompted to reset it?
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> rob
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> >> >> [sss_krb5_responder]
>>> >> >>> >> >> >> >> > (0x4000): [RID#15] Got question [password].
>>> >> >>> >> >> >> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> >> [map_krb5_error]
>>> >> >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error
>>> (see
>>> >> >>> >> e-text)]
>>> >> >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE
>>> >> >>> >> >> >> >> > *********************************
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > ssh log
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com <
>>> >> http://test-example.com>
>>> >> >>> >> >> >> sshd[11586]:
>>> >> >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname=
>>> >> uid=0
>>> >> >>> >> euid=0
>>> >> >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
>>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com <
>>> >> http://test-example.com>
>>> >> >>> >> >> >> sshd[11586]:
>>> >> >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4
>>> (System
>>> >> >>> error)
>>> >> >>> >> >> >> >> > Nov 23 19:33:18test-example.com <
>>> >> http://18test-example.com>
>>> >> >>> >> >> >> sshd[11584]:
>>> >> >>> >> >> >> >> > error: PAM: Authentication failure for harsh from
>>> >> 10.10.1.1
>>> >> >>> >> >> >> >> > Nov 23 19:33:20 test-example.com <
>>> >> http://test-example.com>
>>> >> >>> >> >> >> sshd[11584]:
>>> >> >>> >> >> >> >> > Connection closed by authenticating user harsh
>>> 10.10.1.1
>>> >> >>> port
>>> >> >>> >> 47724
>>> >> >>> >> >> >> >> > [preauth]
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> --
>>> >> >>> >> >> >> / Alexander Bokovoy
>>> >> >>> >> >> >> Sr. Principal Software Engineer
>>> >> >>> >> >> >> Security / Identity Management Engineering
>>> >> >>> >> >> >> Red Hat Limited, Finland
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >> --
>>> >> >>> >> >> / Alexander Bokovoy
>>> >> >>> >> >> Sr. Principal Software Engineer
>>> >> >>> >> >> Security / Identity Management Engineering
>>> >> >>> >> >> Red Hat Limited, Finland
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >> --
>>> >> >>> >> / Alexander Bokovoy
>>> >> >>> >> Sr. Principal Software Engineer
>>> >> >>> >> Security / Identity Management Engineering
>>> >> >>> >> Red Hat Limited, Finland
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> --
>>> >> >>> / Alexander Bokovoy
>>> >> >>> Sr. Principal Software Engineer
>>> >> >>> Security / Identity Management Engineering
>>> >> >>> Red Hat Limited, Finland
>>> >> >>>
>>> >> >>>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> / Alexander Bokovoy
>>> >> Sr. Principal Software Engineer
>>> >> Security / Identity Management Engineering
>>> >> Red Hat Limited, Finland
>>> >>
>>> >>
>>>
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>> Sr. Principal Software Engineer
>>> Security / Identity Management Engineering
>>> Red Hat Limited, Finland
>>>
>>>




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland