On 19.06.24 10:32, Alexander Bokovoy via FreeIPA-users wrote:
On Срд, 19 чэр 2024, Ronald Wimmer via FreeIPA-users wrote:
On 17.06.24 19:53, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 13.06.24 14:30, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 13.02.24 21:04, Ronald Wimmer via FreeIPA-users wrote: > On 13.02.24 18:54, Christian Heimes via FreeIPA-users wrote: >> On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote: >>> On 13.02.24 17:47, Rob Crittenden wrote: >>>> >>>> I don't think it's possible to speculate without knowing your >>>> process. >>>> >>>> This requires the cleartext password so assuming you create the >>>> staged >>>> user then immediately active them, that would be the time to >>>> do the >>>> bind. Otherwise you have to store cleartext passwords and that >>>> is a >>>> recipe for disaster. >>> >>> User is created by an external tool. User activation in IPA is >>> done >>> by a script on one of the IPA servers periodically. Sadly, the >>> external tool cannot do an initial LDAP bind in order to create a >>> users's krb LDAP attributes. I am looking for a simple way these >>> properties are created. >>> >>> Sure I could say a user has to SSH somewhere but why can't that >>> happen if a user tries to login to IPA's WebGUI and the krb >>> properties are missing? Or is there another option for users to >>> accomplish this? >> >> Because the IPA WebUI uses the Kerberos extension S4U2Proxy >> under the >> hood. It allows the WebUI to talk to the LDAP server on behalf >> of the >> user. This feature require a proper Kerberos credentials. See >> https://www.freeipa.org/page/V4/Service_Constraint_Delegation >> >> I already mentioned the recommended option to archive this a while >> ago. You may have missed the piece of information in this very long >> thread. IPA servers have a special /ipa/migration route (e.g. >> https://ipa.demo1.freeipa.org/ipa/migration/) for password >> migration. >> Under the hood the endpoint just does an LDAP bind with username >> and >> password. You can ask your users to either log into a machine with >> ssh or go to the migration page. > > I did indeed miss that vital information. It is more than sufficient > for our needs. > > Thanks a lot guys. All scenarios that need to be working in our > environment do actually work now.
Did something change on the IPA side? Newly created users cannot login to the WebGUI anymore. They get a "Your session has expired" error. Might have to do with this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
You don't provide enough information to tell. Did you upgrade versions?
Per the link, do your users have SIDs?
I was asking in an unspecific way because I knew that you would have some sort of suspicion...
You were absolutely right. The user does not have a SID. Which information do you need in order to further investigate the problem?
There are a bunch of threads in freeipa-users that describe how to troubleshoot this.
I am aware of that. But in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Alexander states "One issue we identified today together with Fedora infrastructure team is that staged users (created with 'ipa stageuser-add') will prevent sidgen plugin to generate entries." Is this already fixed? Yes? No? How can we possibly prevent this from happening again in the future?
This is already fixed upstream: https://pagure.io/freeipa/issue/9517
and it is released in RHEL 9.4/9.3.z/9.2.z/9.0.z and RHEL 8.10z/8.9z/8.8z/8.6z. Also fixed in Fedora 39-41.
if you specific problems, make sure to provide concrete logs or talk to your support organization, if you have access to one.
The problem was that the external system specified UIDs/GIDs out of the range defined by IPA. We changed that to let IPA assign IDs dynamically upon activation. (if somebody is interested in the details... read about static vs. automatic assignment here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/lin... )