Yeah,
But my default id range starts with 770000 but all my existing infrastructure uid's are within 4 digits like 4147,8921,9756 like this. Here I am facing an issue.

That's why I am creating users with default id range and then later I am modifying it via uid's as per my infrastructure then ipantuserattrs created and I am able to authenticate with password.

Can you suggest to me that with this setup i can easily handle 350Users for around 400 servers across different different locations with cache of storing on ipa clients.

On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
Please don't drop mailing list.

On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>Hey Alexander,
>
>Thanks For the Reply.
>
>But in my case i have fixed it by recreating the user on Ipa web UI and
>observing ipantuserattrs created password logins are working fine.
>
>But do I face any issues if I try to modify the base id range manually? as
>per redhat docs which is not recommended to modify.

If you have re-created your user and that new one works, it means
underlying infrastructure works properly. Older user entries need to be
fixed. Preferrably through a new ID range, if those entries use IDs
which are outside of the main ID range.

>
>Also on ipa 4.11 they support dedicated ssh key based
>authentication.Ofcourse now also its working.
>
>My setup is that I have internal dns which is handled by a puppet and
>slowly will move it to a dedicated internal dns server so that's why i
>opted for  ipa installation without dns.
>
>On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <abokovoy@redhat.com>
>wrote:
>
>> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
>> >Hi Rob,
>> >Thank you for your email. I've identified the issue.
>> >When attempting to create a user using the 'ipa user-add' command and
>> >defining the UID and GID according to my specifications, the UID falls
>> >within the 4-digit range, for instance, 4141. The
>> >IPA IDs range during installation was set to 770000. Users created within
>> >this range are accepted with their passwords. However, users created with
>> >UIDs like 4141 or 4142 encounter issues.
>> >
>> >Looks like attributes, were not creating
>> >
>> >objectclass: top, person, organizationalperson, inetorgperson, inetuser,
>> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
>> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
>> >
>> >If i mention uid and gid using ipa user-add command
>> >ipantuserattrs is not getting create.
>> >
>> >I tried to modify default range but it dint happened.
>>
>> See my answers in a parallel thread 'kinit fails on freeipa master: File
>> or directory not found'.
>>
>> >
>> >
>> >
>> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <rcritten@redhat.com>
>> wrote:
>> >
>> >> Pradeep KNS wrote:
>> >> > Hi,
>> >> > I have installed an ipa with internal dns.After installing updated
>> >> > entries on dns as well.
>> >> >
>> >> > My main criteria is to communicate with ipa clients with ssh keybased
>> >> > authentication which is working fine.
>> >> >
>> >> > Today i tot of i want to test with password based authentication which
>> >> > is not happening.I dont know where i am missing
>> >> >
>> >> >
>> >> > [root@example.com <mailto:root@example.com>]# ipa --version
>> >> > VERSION: 4.10.1, API_VERSION: 2.251
>> >> > [root@example.com <mailto:root@example.com>]#
>> >> >
>> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
>> >> > BACKTRACE:
>> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child]
>> >> > (0x1000): [RID#15] Password was expired
>> >>
>> >> The user's password is expired.
>> >>
>> >> IPA intends that only the end-user knows their password. So if it is set
>> >> or reset by an administrator the user will need to change it.
>> >>
>> >> Is the user not prompted to reset it?
>> >>
>> >> rob
>> >>
>> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]] [sss_krb5_responder]
>> >> > (0x4000): [RID#15] Got question [password].
>> >> >    *  (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error]
>> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see e-text)]
>> >> > ********************** BACKTRACE DUMP ENDS HERE
>> >> > *********************************
>> >> >
>> >> > ssh log
>> >> >
>> >> > Nov 23 19:33:16 test-example.com <http://test-example.com>
>> sshd[11586]:
>> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
>> >> > Nov 23 19:33:16 test-example.com <http://test-example.com>
>> sshd[11586]:
>> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error)
>> >> > Nov 23 19:33:18test-example.com <http://18test-example.com>
>> sshd[11584]:
>> >> > error: PAM: Authentication failure for harsh from 10.10.1.1
>> >> > Nov 23 19:33:20 test-example.com <http://test-example.com>
>> sshd[11584]:
>> >> > Connection closed by authenticating user harsh 10.10.1.1 port 47724
>> >> > [preauth]
>> >>
>> >>
>> >>
>>
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland