Alexander,
Thanks for that document.Bit of that i did it but it dint worked looks like
i might followed some wrong steps.
My default id range mentioned below
ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX
cn: REALM_id_range
ipabaseid: 771000000
ipaidrangesize: 200000
ipabaserid: 1000
ipasecondarybaserid: 100000000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX
cn: REALM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
##################################
Manually created ID range
[root@ipa-mum1 ~]# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX
cn: REALM_id_new_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
Then i created the user name called test user post it dint created expected
user attribute
root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189
--gidnumber=4141 --password
root@ipa ~]# ipa user-show testuser --all
dn: uid=testuser,cn=users,cn=accounts,dc=real
User login: testuser
First name: Test
Last name: User
Full name: Test User
Display name: Testuser
Initials: TU
Home directory: /home/testuser
GECOS: Test User
Login shell: /bin/bash
Principal name: testuser(a)REALM.COM
Principal alias: testuser(a)REALM.COM
User password expiration: 20231124144147Z
UID: 5189
GID: 4141
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346
krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA=
krblastadminunlock: 20231124144147Z
krblastpwdchange: 20231124144147Z
krbloginfailedcount: 0
mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
The above method followed but after creating another id range manually, I
don't know where I missed post creation of ranges, for somehow it didn't
work. That's why I followed that generic method creating users and
modifying it manually.
PLease suggest me.
On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com>
wrote:
Thanks will go through it.
On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >Could you please help me with those threads here to regenerate sid’s.
>
>
https://access.redhat.com/articles/7027037
>
> >
> >
> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
> >wrote:
> >
> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >Yeah,
> >> >But my default id range starts with 770000 but all my existing
> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like
> this.
> >> >Here I am facing an issue.
> >> >
> >> >That's why I am creating users with default id range and then later
I
> am
> >> >modifying it via uid's as per my infrastructure then ipantuserattrs
> >> created
> >> >and I am able to authenticate with password.
> >>
> >> This is wrong.
> >>
> >> >
> >> >Can you suggest to me that with this setup i can easily handle
> 350Users
> >> for
> >> >around 400 servers across different different locations with cache of
> >> >storing on ipa clients.
> >>
> >> As I already said in other threads, create additional ID range that
> >> covers your 4-digit IDs, then re-run SID generation to make sure those
> >> users get proper SIDs.
> >>
> >> This is covered in the KCS.
> >>
> >> >
> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <
> abokovoy(a)redhat.com>
> >> >wrote:
> >> >
> >> >> Please don't drop mailing list.
> >> >>
> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
> >> >> >Hey Alexander,
> >> >> >
> >> >> >Thanks For the Reply.
> >> >> >
> >> >> >But in my case i have fixed it by recreating the user on Ipa
web
> UI and
> >> >> >observing ipantuserattrs created password logins are working
fine.
> >> >> >
> >> >> >But do I face any issues if I try to modify the base id range
> >> manually? as
> >> >> >per redhat docs which is not recommended to modify.
> >> >>
> >> >> If you have re-created your user and that new one works, it means
> >> >> underlying infrastructure works properly. Older user entries need
> to be
> >> >> fixed. Preferrably through a new ID range, if those entries use
IDs
> >> >> which are outside of the main ID range.
> >> >>
> >> >> >
> >> >> >Also on ipa 4.11 they support dedicated ssh key based
> >> >> >authentication.Ofcourse now also its working.
> >> >> >
> >> >> >My setup is that I have internal dns which is handled by a
puppet
> and
> >> >> >slowly will move it to a dedicated internal dns server so
that's
> why i
> >> >> >opted for ipa installation without dns.
> >> >> >
> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <
> abokovoy(a)redhat.com
> >> >
> >> >> >wrote:
> >> >> >
> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
> >> >> >> >Hi Rob,
> >> >> >> >Thank you for your email. I've identified the
issue.
> >> >> >> >When attempting to create a user using the 'ipa
user-add'
> command
> >> and
> >> >> >> >defining the UID and GID according to my
specifications, the UID
> >> falls
> >> >> >> >within the 4-digit range, for instance, 4141. The
> >> >> >> >IPA IDs range during installation was set to 770000.
Users
> created
> >> >> within
> >> >> >> >this range are accepted with their passwords. However,
users
> created
> >> >> with
> >> >> >> >UIDs like 4141 or 4142 encounter issues.
> >> >> >> >
> >> >> >> >Looks like attributes, were not creating
> >> >> >> >
> >> >> >> >objectclass: top, person, organizationalperson,
inetorgperson,
> >> >> inetuser,
> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux,
ipaobject,
> >> >> ipasshuser,
> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
> >> >> >> >
> >> >> >> >If i mention uid and gid using ipa user-add command
> >> >> >> >ipantuserattrs is not getting create.
> >> >> >> >
> >> >> >> >I tried to modify default range but it dint happened.
> >> >> >>
> >> >> >> See my answers in a parallel thread 'kinit fails on
freeipa
> master:
> >> File
> >> >> >> or directory not found'.
> >> >> >>
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <
> rcritten(a)redhat.com
> >> >
> >> >> >> wrote:
> >> >> >> >
> >> >> >> >> Pradeep KNS wrote:
> >> >> >> >> > Hi,
> >> >> >> >> > I have installed an ipa with internal
dns.After installing
> >> updated
> >> >> >> >> > entries on dns as well.
> >> >> >> >> >
> >> >> >> >> > My main criteria is to communicate with ipa
clients with ssh
> >> >> keybased
> >> >> >> >> > authentication which is working fine.
> >> >> >> >> >
> >> >> >> >> > Today i tot of i want to test with password
based
> authentication
> >> >> which
> >> >> >> >> > is not happening.I dont know where i am
missing
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]# ipa --version
> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251
> >> >> >> >> > [root(a)example.com
<mailto:root@example.com>]#
> >> >> >> >> >
> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS
TRIGGERED BY THE
> >> >> FOLLOWING
> >> >> >> >> > BACKTRACE:
> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
> [tgt_req_child]
> >> >> >> >> > (0x1000): [RID#15] Password was expired
> >> >> >> >>
> >> >> >> >> The user's password is expired.
> >> >> >> >>
> >> >> >> >> IPA intends that only the end-user knows their
password. So
> if it
> >> is
> >> >> set
> >> >> >> >> or reset by an administrator the user will need
to change it.
> >> >> >> >>
> >> >> >> >> Is the user not prompted to reset it?
> >> >> >> >>
> >> >> >> >> rob
> >> >> >> >>
> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
> >> >> [sss_krb5_responder]
> >> >> >> >> > (0x4000): [RID#15] Got question [password].
> >> >> >> >> > * (2023-11-23 19:33:16):
[krb5_child[11588]]
> >> [map_krb5_error]
> >> >> >> >> > (0x0020): [RID#15] 2138:
[-1765328324][Generic error (see
> >> e-text)]
> >> >> >> >> > ********************** BACKTRACE DUMP ENDS
HERE
> >> >> >> >> > *********************************
> >> >> >> >> >
> >> >> >> >> > ssh log
> >> >> >> >> >
> >> >> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
> >> >> >> sshd[11586]:
> >> >> >> >> > pam_sss(sshd:auth): authentication failure;
logname= uid=0
> >> euid=0
> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
> >> >> >> >> > Nov 23 19:33:16
test-example.com
<
http://test-example.com>
> >> >> >> sshd[11586]:
> >> >> >> >> > pam_sss(sshd:auth): received for user harsh:
4 (System
> error)
> >> >> >> >> > Nov 23
19:33:18test-example.com
<
http://18test-example.com>
> >> >> >> sshd[11584]:
> >> >> >> >> > error: PAM: Authentication failure for harsh
from 10.10.1.1
> >> >> >> >> > Nov 23 19:33:20
test-example.com
<
http://test-example.com>
> >> >> >> sshd[11584]:
> >> >> >> >> > Connection closed by authenticating user
harsh 10.10.1.1
> port
> >> 47724
> >> >> >> >> > [preauth]
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> / Alexander Bokovoy
> >> >> >> Sr. Principal Software Engineer
> >> >> >> Security / Identity Management Engineering
> >> >> >> Red Hat Limited, Finland
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> / Alexander Bokovoy
> >> >> Sr. Principal Software Engineer
> >> >> Security / Identity Management Engineering
> >> >> Red Hat Limited, Finland
> >> >>
> >> >>
> >>
> >>
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>