Alexander,
Thanks for that document.Bit of that i did it but it dint worked looks like
i might followed some wrong steps.
My default id range mentioned below
ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX
cn: REALM_id_range
ipabaseid: 771000000
ipaidrangesize: 200000
ipabaserid: 1000
ipasecondarybaserid: 100000000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX
cn: REALM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
##################################
Manually created ID range
[root@ipa-mum1 ~]# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX
cn: REALM_id_new_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
You created a new ID range but this range has no RID bases. Therefore,
the range cannot be used for SID assignment.
The KCS article has a section about RID bases and how to choose them,
please follow that.
Then i created the user name called test user post it dint created expected
user attribute
root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189
--gidnumber=4141 --password
root@ipa ~]# ipa user-show testuser --all
dn: uid=testuser,cn=users,cn=accounts,dc=real
User login: testuser
First name: Test
Last name: User
Full name: Test User
Display name: Testuser
Initials: TU
Home directory: /home/testuser
GECOS: Test User
Login shell: /bin/bash
Principal name: testuser(a)REALM.COM
Principal alias: testuser(a)REALM.COM
User password expiration: 20231124144147Z
UID: 5189
GID: 4141
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346
krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA=
krblastadminunlock: 20231124144147Z
krblastpwdchange: 20231124144147Z
krbloginfailedcount: 0
mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
The above method followed but after creating another id range manually, I
don't know where I missed post creation of ranges, for somehow it didn't
work. That's why I followed that generic method creating users and
modifying it manually.
PLease suggest me.
On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com>
wrote:
> Thanks will go through it.
>
> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> wrote:
>
>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>> >Could you please help me with those threads here to regenerate sid’s.
>>
>>
https://access.redhat.com/articles/7027037
>>
>> >
>> >
>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy
<abokovoy(a)redhat.com>
>> >wrote:
>> >
>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>> >> >Yeah,
>> >> >But my default id range starts with 770000 but all my existing
>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756
like
>> this.
>> >> >Here I am facing an issue.
>> >> >
>> >> >That's why I am creating users with default id range and then
later I
>> am
>> >> >modifying it via uid's as per my infrastructure then
ipantuserattrs
>> >> created
>> >> >and I am able to authenticate with password.
>> >>
>> >> This is wrong.
>> >>
>> >> >
>> >> >Can you suggest to me that with this setup i can easily handle
>> 350Users
>> >> for
>> >> >around 400 servers across different different locations with cache
of
>> >> >storing on ipa clients.
>> >>
>> >> As I already said in other threads, create additional ID range that
>> >> covers your 4-digit IDs, then re-run SID generation to make sure those
>> >> users get proper SIDs.
>> >>
>> >> This is covered in the KCS.
>> >>
>> >> >
>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <
>> abokovoy(a)redhat.com>
>> >> >wrote:
>> >> >
>> >> >> Please don't drop mailing list.
>> >> >>
>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>> >> >> >Hey Alexander,
>> >> >> >
>> >> >> >Thanks For the Reply.
>> >> >> >
>> >> >> >But in my case i have fixed it by recreating the user on
Ipa web
>> UI and
>> >> >> >observing ipantuserattrs created password logins are
working fine.
>> >> >> >
>> >> >> >But do I face any issues if I try to modify the base id
range
>> >> manually? as
>> >> >> >per redhat docs which is not recommended to modify.
>> >> >>
>> >> >> If you have re-created your user and that new one works, it
means
>> >> >> underlying infrastructure works properly. Older user entries
need
>> to be
>> >> >> fixed. Preferrably through a new ID range, if those entries use
IDs
>> >> >> which are outside of the main ID range.
>> >> >>
>> >> >> >
>> >> >> >Also on ipa 4.11 they support dedicated ssh key based
>> >> >> >authentication.Ofcourse now also its working.
>> >> >> >
>> >> >> >My setup is that I have internal dns which is handled by a
puppet
>> and
>> >> >> >slowly will move it to a dedicated internal dns server so
that's
>> why i
>> >> >> >opted for ipa installation without dns.
>> >> >> >
>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <
>> abokovoy(a)redhat.com
>> >> >
>> >> >> >wrote:
>> >> >> >
>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users
wrote:
>> >> >> >> >Hi Rob,
>> >> >> >> >Thank you for your email. I've identified the
issue.
>> >> >> >> >When attempting to create a user using the
'ipa user-add'
>> command
>> >> and
>> >> >> >> >defining the UID and GID according to my
specifications, the UID
>> >> falls
>> >> >> >> >within the 4-digit range, for instance, 4141. The
>> >> >> >> >IPA IDs range during installation was set to
770000. Users
>> created
>> >> >> within
>> >> >> >> >this range are accepted with their passwords.
However, users
>> created
>> >> >> with
>> >> >> >> >UIDs like 4141 or 4142 encounter issues.
>> >> >> >> >
>> >> >> >> >Looks like attributes, were not creating
>> >> >> >> >
>> >> >> >> >objectclass: top, person, organizationalperson,
inetorgperson,
>> >> >> inetuser,
>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux,
ipaobject,
>> >> >> ipasshuser,
>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry,
ipantuserattrs
>> >> >> >> >
>> >> >> >> >If i mention uid and gid using ipa user-add
command
>> >> >> >> >ipantuserattrs is not getting create.
>> >> >> >> >
>> >> >> >> >I tried to modify default range but it dint
happened.
>> >> >> >>
>> >> >> >> See my answers in a parallel thread 'kinit fails
on freeipa
>> master:
>> >> File
>> >> >> >> or directory not found'.
>> >> >> >>
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden
<
>> rcritten(a)redhat.com
>> >> >
>> >> >> >> wrote:
>> >> >> >> >
>> >> >> >> >> Pradeep KNS wrote:
>> >> >> >> >> > Hi,
>> >> >> >> >> > I have installed an ipa with internal
dns.After installing
>> >> updated
>> >> >> >> >> > entries on dns as well.
>> >> >> >> >> >
>> >> >> >> >> > My main criteria is to communicate with
ipa clients with ssh
>> >> >> keybased
>> >> >> >> >> > authentication which is working fine.
>> >> >> >> >> >
>> >> >> >> >> > Today i tot of i want to test with
password based
>> authentication
>> >> >> which
>> >> >> >> >> > is not happening.I dont know where i am
missing
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]# ipa --version
>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251
>> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]#
>> >> >> >> >> >
>> >> >> >> >> > ********************** PREVIOUS MESSAGE
WAS TRIGGERED BY THE
>> >> >> FOLLOWING
>> >> >> >> >> > BACKTRACE:
>> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
>> [tgt_req_child]
>> >> >> >> >> > (0x1000): [RID#15] Password was expired
>> >> >> >> >>
>> >> >> >> >> The user's password is expired.
>> >> >> >> >>
>> >> >> >> >> IPA intends that only the end-user knows
their password. So
>> if it
>> >> is
>> >> >> set
>> >> >> >> >> or reset by an administrator the user will
need to change it.
>> >> >> >> >>
>> >> >> >> >> Is the user not prompted to reset it?
>> >> >> >> >>
>> >> >> >> >> rob
>> >> >> >> >>
>> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
>> >> >> [sss_krb5_responder]
>> >> >> >> >> > (0x4000): [RID#15] Got question
[password].
>> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
>> >> [map_krb5_error]
>> >> >> >> >> > (0x0020): [RID#15] 2138:
[-1765328324][Generic error (see
>> >> e-text)]
>> >> >> >> >> > ********************** BACKTRACE DUMP
ENDS HERE
>> >> >> >> >> > *********************************
>> >> >> >> >> >
>> >> >> >> >> > ssh log
>> >> >> >> >> >
>> >> >> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
>> >> >> >> sshd[11586]:
>> >> >> >> >> > pam_sss(sshd:auth): authentication
failure; logname= uid=0
>> >> euid=0
>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1
user=harsh
>> >> >> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
>> >> >> >> sshd[11586]:
>> >> >> >> >> > pam_sss(sshd:auth): received for user
harsh: 4 (System
>> error)
>> >> >> >> >> > Nov 23
19:33:18test-example.com
<
http://18test-example.com>
>> >> >> >> sshd[11584]:
>> >> >> >> >> > error: PAM: Authentication failure for
harsh from 10.10.1.1
>> >> >> >> >> > Nov 23 19:33:20
test-example.com
<
http://test-example.com>
>> >> >> >> sshd[11584]:
>> >> >> >> >> > Connection closed by authenticating user
harsh 10.10.1.1
>> port
>> >> 47724
>> >> >> >> >> > [preauth]
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> / Alexander Bokovoy
>> >> >> >> Sr. Principal Software Engineer
>> >> >> >> Security / Identity Management Engineering
>> >> >> >> Red Hat Limited, Finland
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> / Alexander Bokovoy
>> >> >> Sr. Principal Software Engineer
>> >> >> Security / Identity Management Engineering
>> >> >> Red Hat Limited, Finland
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> / Alexander Bokovoy
>> >> Sr. Principal Software Engineer
>> >> Security / Identity Management Engineering
>> >> Red Hat Limited, Finland
>> >>
>> >>
>>
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland