Thanks Alexander,
Appreciate your help and things are working as expected.
On Fri, Dec 1, 2023 at 1:13 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On Пят, 01 сне 2023, Pradeep KNS wrote:
>Hey Alexander,
>
>I have tried installing a new IPA server with my expected ranges on my new
>site and its working fine.Thanks for the document.
>
>I have observed a couple of errors. POSIX ID's 4248,4141,4121,4258..etc.
>all are my infra group id's.
>
>
>[30/Nov/2023:05:17:36.931522914 -0500] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[30/Nov/2023:05:17:36.933841900 -0500] - ERR - sidgen_task_thread - [file
>ipa_sidgen_task.c, line 199]: Sidgen task finished [0].
>[30/Nov/2023:05:17:41.443256202 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under ou=sudoers,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.449472986 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under cn=ng, cn=compat,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.456705946 -0500] - ERR - schema-compat-plugin -
>warning: no entries set up under cn=computers,
>cn=compat,dc=alpha-grep,dc=com
>[30/Nov/2023:05:17:41.457666134 -0500] - ERR - schema-compat-plugin -
>Finished plugin initialization.
>[30/Nov/2023:05:27:02.337803787 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4141] into
>an unused SID.
4141 is below base ID for the only ID range that could be used (starting
with 5000). You need to add a range similar to your $REALM_id_range but
which covers all these POSIX UID/GIDs.
>[30/Nov/2023:05:27:02.338927487 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:06:03:06.173948392 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4121] into
>an unused SID.
Same here.
>[30/Nov/2023:06:03:06.174922473 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:06:22:36.616707461 -0500] - ERR - rid_to_sid_with_check -
>[file ipa_sidgen_common.c, line 384]: SID
>[S-1-5-21-3258431096-680571367-3483437258-16054] is already used.
This SID is already used by some other object.
>[30/Nov/2023:06:24:53.185373410 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4258] into
>an unused SID.
Same here -- 4258 is below 5000.
>[30/Nov/2023:06:24:53.186107898 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:07:07:48.738323141 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.
Same here.
>[30/Nov/2023:07:07:48.739492958 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:08:10:33.205867886 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.
>[30/Nov/2023:08:10:33.206759596 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[30/Nov/2023:08:33:53.787156179 -0500] - ERR - find_sid_for_ldap_entry -
>[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into
>an unused SID.
>[30/Nov/2023:08:33:53.788186638 -0500] - ERR - ipa_sidgen_add_post_op -
>[file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
>[root@ipa- ~]#
>
>
>[root@ipa-~]# ipa user-show test --all --raw
> dn: uid=test,cn=users,cn=accounts,dc=$REAL
> uid: test
> givenname: test
> sn: test
> cn: test
> initials: TE
> homedirectory: /home/test
> gecos: Test
> loginshell: /bin/bash
> krbcanonicalname: test(a)$REALM.COM
> krbprincipalname: kpradeep(a)$REALM.COM
> uidnumber: 5708
> gidnumber: 4141
> sshpubkeyfp:
> nsaccountlock: FALSE
> has_password: TRUE
> has_keytab: TRUE
> displayName: Test
> ipaNTSecurityIdentifier: S-1-5-21-3258431096-680571367-3483437258-1708
> ipaSshPubKey: <key>
> ipaUniqueID: <id>
> krbExtraData: <data>
> krbLastAdminUnlock: 20231130174441Z
> krbLastPwdChange: 20231130174540Z
> krbLoginFailedCount: 0
> krbPasswordExpiration: 20240228174540Z
> krbTicketFlags: 128
> memberof: cn=admin,cn=groups,cn=accounts,dc=$real
> memberof: cn=ipausers,cn=groups,cn=accounts,dc=$real
> memberofindirect:
>ipaUniqueID=8c81c2c6-8f6b-11ee-b685-a68c8b95f346,cn=sudorules,cn=sudo,dc=$real
> mepManagedEntry: cn=test,cn=groups,cn=accounts,dc=$real
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> objectClass: ipantuserattrs
>
>
>[root@ipa- ~]# ipa idrange-find --all --raw
>----------------
>2 ranges matched
>----------------
> dn: cn=$REALM_id_range,cn=ranges,cn=etc,dc=$real
> cn: $REALM_id_range
> ipabaseid: 5000
> ipaidrangesize: 1995001
> ipabaserid: 1000
> ipasecondarybaserid: 100000000
> iparangetype: ipa-local
> objectclass: top
> objectclass: ipaIDrange
> objectclass: ipaDomainIDRange
>
> dn: cn=$REALM_subid_range,cn=ranges,cn=etc,dc=$realm
> cn: $REALM_subid_range
> ipabaseid: 2147483648
> ipaidrangesize: 2147352576
> ipabaserid: 2145488647
> ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
> iparangetype: ipa-ad-trust
> objectclass: top
> objectclass: ipaIDrange
> objectclass: ipaTrustedADDomainRange
>----------------------------
>Number of entries returned 2
>----------------------------
>[root@ipa ~]#
>
>On Tue, Nov 28, 2023 at 4:58 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com>
>wrote:
>
>> Thanks a lot and I will Go through it.
>>
>> On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>> wrote:
>>
>>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >ok but in my case i don't use AD,Windows authentication or replica
etc,
>>> >just the centralised authentication system all are redhat os installed
>>> >servers.
>>> >In this case also i need to create a base RID?
>>>
>>> Yes. You keep ignoring my references to previous discussions.
>>>
>>> You will not get it working without proper SIDs because we require PAC
>>> presence to protect against Kerberos impersonation. This is not a
>>> theoretical probability anymore since November 2022 Microsoft security
>>> updates. The same attacks apply to all Kerberos environments and
current
>>> way of protecting against them is to utilize MS-PAC buffers with
>>> appropriate signatures and checksums. PAC buffers require use of SIDs
to
>>> address objects and that is what we enforce now.
>>>
>>> If you still want to know details, I'd suggest to watch at least the
two
>>> talks we gave at SambaXP past few years:
>>>
>>> - "Kerberos" by Andrew Bartlett
>>>
>>>
https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Ker...
>>>
>>> - Samba AD / MIT Kerberos: path out of experimental by me and Andreas
>>>
>>>
https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schn...
>>>
https://youtu.be/0_cdYuIYw0o
>>>
>>> While these talk about Samba AD, the changes went to both Samba and
>>> FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory
too).
>>>
>>> So, look at the KCS I gave, understand how to add RID bases to your new
>>> ID range and fix your problem through that.
>>>
>>> >
>>> >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <
abokovoy(a)redhat.com>
>>> >wrote:
>>> >
>>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >Alexander,
>>> >> >
>>> >> >Thanks for that document.Bit of that i did it but it dint
worked
looks
>>> >> like
>>> >> >i might followed some wrong steps.
>>> >> >
>>> >> >My default id range mentioned below
>>> >> >ipa idrange-find --all --raw
>>> >> >----------------
>>> >> >2 ranges matched
>>> >> >----------------
>>> >> > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX
>>> >> > cn: REALM_id_range
>>> >> > ipabaseid: 771000000
>>> >> > ipaidrangesize: 200000
>>> >> > ipabaserid: 1000
>>> >> > ipasecondarybaserid: 100000000
>>> >> > iparangetype: ipa-local
>>> >> > objectclass: top
>>> >> > objectclass: ipaIDrange
>>> >> > objectclass: ipaDomainIDRange
>>> >> >
>>> >> > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX
>>> >> > cn: REALM_subid_range
>>> >> > ipabaseid: 2147483648
>>> >> > ipaidrangesize: 2147352576
>>> >> > ipabaserid: 2147283648
>>> >> > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364
>>> >> > iparangetype: ipa-ad-trust
>>> >> > objectclass: top
>>> >> > objectclass: ipaIDrange
>>> >> > objectclass: ipaTrustedADDomainRange
>>> >> >
>>> >> >##################################
>>> >> >Manually created ID range
>>> >> >
>>> >> >[root@ipa-mum1 ~]# ipa idrange-find --all --raw
>>> >> >----------------
>>> >> >3 ranges matched
>>> >> >----------------
>>> >> > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX
>>> >> > cn: REALM_id_new_range
>>> >> > ipabaseid: 1000
>>> >> > ipaidrangesize: 200000
>>> >> > iparangetype: ipa-local
>>> >> > objectclass: ipaIDrange
>>> >> > objectclass: ipadomainidrange
>>> >>
>>> >> You created a new ID range but this range has no RID bases.
Therefore,
>>> >> the range cannot be used for SID assignment.
>>> >>
>>> >> The KCS article has a section about RID bases and how to choose
them,
>>> >> please follow that.
>>> >>
>>> >> >
>>> >> >Then i created the user name called test user post it dint
created
>>> >> expected
>>> >> >user attribute
>>> >> >
>>> >> >root@ipa~]#ipa user-add testuser --first=Test --last=User
-uid=5189
>>> >> >--gidnumber=4141 --password
>>> >> >root@ipa ~]# ipa user-show testuser --all
>>> >> > dn: uid=testuser,cn=users,cn=accounts,dc=real
>>> >> > User login: testuser
>>> >> > First name: Test
>>> >> > Last name: User
>>> >> > Full name: Test User
>>> >> > Display name: Testuser
>>> >> > Initials: TU
>>> >> > Home directory: /home/testuser
>>> >> > GECOS: Test User
>>> >> > Login shell: /bin/bash
>>> >> > Principal name: testuser(a)REALM.COM
>>> >> > Principal alias: testuser(a)REALM.COM
>>> >> > User password expiration: 20231124144147Z
>>> >> > UID: 5189
>>> >> > GID: 4141
>>> >> > Account disabled: False
>>> >> > Preserved user: False
>>> >> > Password: True
>>> >> > Member of groups: ipausers
>>> >> > Kerberos keys available: True
>>> >> > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346
>>> >> > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA=
>>> >> > krblastadminunlock: 20231124144147Z
>>> >> > krblastpwdchange: 20231124144147Z
>>> >> > krbloginfailedcount: 0
>>> >> > mepmanagedentry:
cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
>>> >> > objectclass: top, person, organizationalperson,
inetorgperson,
>>> inetuser,
>>> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
>>> ipasshuser,
>>> >> >ipaSshGroupOfPubKeys, mepOriginEntry
>>> >> >
>>> >> >The above method followed but after creating another id range
>>> manually, I
>>> >> >don't know where I missed post creation of ranges, for
somehow it
>>> didn't
>>> >> >work. That's why I followed that generic method creating
users and
>>> >> >modifying it manually.
>>> >> >PLease suggest me.
>>> >> >
>>> >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <
>>> kns.pradeep(a)alpha-grep.com>
>>> >> >wrote:
>>> >> >
>>> >> >> Thanks will go through it.
>>> >> >>
>>> >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <
>>> abokovoy(a)redhat.com>
>>> >> >> wrote:
>>> >> >>
>>> >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >>> >Could you please help me with those threads here
to regenerate
>>> sid’s.
>>> >> >>>
>>> >> >>>
https://access.redhat.com/articles/7027037
>>> >> >>>
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy
<
>>> >> abokovoy(a)redhat.com>
>>> >> >>> >wrote:
>>> >> >>> >
>>> >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>>> >> >>> >> >Yeah,
>>> >> >>> >> >But my default id range starts with
770000 but all my
existing
>>> >> >>> >> >infrastructure uid's are within 4
digits like 4147,8921,9756
>>> like
>>> >> >>> this.
>>> >> >>> >> >Here I am facing an issue.
>>> >> >>> >> >
>>> >> >>> >> >That's why I am creating users with
default id range and
then
>>> >> later I
>>> >> >>> am
>>> >> >>> >> >modifying it via uid's as per my
infrastructure then
>>> ipantuserattrs
>>> >> >>> >> created
>>> >> >>> >> >and I am able to authenticate with
password.
>>> >> >>> >>
>>> >> >>> >> This is wrong.
>>> >> >>> >>
>>> >> >>> >> >
>>> >> >>> >> >Can you suggest to me that with this
setup i can easily
handle
>>> >> >>> 350Users
>>> >> >>> >> for
>>> >> >>> >> >around 400 servers across different
different locations with
>>> cache
>>> >> of
>>> >> >>> >> >storing on ipa clients.
>>> >> >>> >>
>>> >> >>> >> As I already said in other threads, create
additional ID
range
>>> that
>>> >> >>> >> covers your 4-digit IDs, then re-run SID
generation to make
sure
>>> >> those
>>> >> >>> >> users get proper SIDs.
>>> >> >>> >>
>>> >> >>> >> This is covered in the KCS.
>>> >> >>> >>
>>> >> >>> >> >
>>> >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander
Bokovoy <
>>> >> >>> abokovoy(a)redhat.com>
>>> >> >>> >> >wrote:
>>> >> >>> >> >
>>> >> >>> >> >> Please don't drop mailing list.
>>> >> >>> >> >>
>>> >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS
wrote:
>>> >> >>> >> >> >Hey Alexander,
>>> >> >>> >> >> >
>>> >> >>> >> >> >Thanks For the Reply.
>>> >> >>> >> >> >
>>> >> >>> >> >> >But in my case i have fixed it
by recreating the user on
>>> Ipa web
>>> >> >>> UI and
>>> >> >>> >> >> >observing ipantuserattrs created
password logins are
working
>>> >> fine.
>>> >> >>> >> >> >
>>> >> >>> >> >> >But do I face any issues if I
try to modify the base id
>>> range
>>> >> >>> >> manually? as
>>> >> >>> >> >> >per redhat docs which is not
recommended to modify.
>>> >> >>> >> >>
>>> >> >>> >> >> If you have re-created your user and
that new one works,
it
>>> means
>>> >> >>> >> >> underlying infrastructure works
properly. Older user
entries
>>> need
>>> >> >>> to be
>>> >> >>> >> >> fixed. Preferrably through a new ID
range, if those
entries
>>> use
>>> >> IDs
>>> >> >>> >> >> which are outside of the main ID
range.
>>> >> >>> >> >>
>>> >> >>> >> >> >
>>> >> >>> >> >> >Also on ipa 4.11 they support
dedicated ssh key based
>>> >> >>> >> >> >authentication.Ofcourse now also
its working.
>>> >> >>> >> >> >
>>> >> >>> >> >> >My setup is that I have internal
dns which is handled by
a
>>> >> puppet
>>> >> >>> and
>>> >> >>> >> >> >slowly will move it to a
dedicated internal dns server so
>>> that's
>>> >> >>> why i
>>> >> >>> >> >> >opted for ipa installation
without dns.
>>> >> >>> >> >> >
>>> >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM
Alexander Bokovoy <
>>> >> >>> abokovoy(a)redhat.com
>>> >> >>> >> >
>>> >> >>> >> >> >wrote:
>>> >> >>> >> >> >
>>> >> >>> >> >> >> On Пан, 27 ліс 2023,
Pradeep KNS via FreeIPA-users
wrote:
>>> >> >>> >> >> >> >Hi Rob,
>>> >> >>> >> >> >> >Thank you for your
email. I've identified the issue.
>>> >> >>> >> >> >> >When attempting to
create a user using the 'ipa
user-add'
>>> >> >>> command
>>> >> >>> >> and
>>> >> >>> >> >> >> >defining the UID and
GID according to my
specifications,
>>> the
>>> >> UID
>>> >> >>> >> falls
>>> >> >>> >> >> >> >within the 4-digit
range, for instance, 4141. The
>>> >> >>> >> >> >> >IPA IDs range during
installation was set to 770000.
>>> Users
>>> >> >>> created
>>> >> >>> >> >> within
>>> >> >>> >> >> >> >this range are accepted
with their passwords. However,
>>> users
>>> >> >>> created
>>> >> >>> >> >> with
>>> >> >>> >> >> >> >UIDs like 4141 or 4142
encounter issues.
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >Looks like attributes,
were not creating
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >objectclass: top,
person, organizationalperson,
>>> >> inetorgperson,
>>> >> >>> >> >> inetuser,
>>> >> >>> >> >> >> >posixaccount,
krbprincipalaux, krbticketpolicyaux,
>>> ipaobject,
>>> >> >>> >> >> ipasshuser,
>>> >> >>> >> >> >> >ipaSshGroupOfPubKeys,
mepOriginEntry, ipantuserattrs
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >If i mention uid and
gid using ipa user-add command
>>> >> >>> >> >> >> >ipantuserattrs is not
getting create.
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >I tried to modify
default range but it dint happened.
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> See my answers in a
parallel thread 'kinit fails on
>>> freeipa
>>> >> >>> master:
>>> >> >>> >> File
>>> >> >>> >> >> >> or directory not
found'.
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >On Mon, 27 Nov 2023 at
9:41 PM, Rob Crittenden <
>>> >> >>> rcritten(a)redhat.com
>>> >> >>> >> >
>>> >> >>> >> >> >> wrote:
>>> >> >>> >> >> >> >
>>> >> >>> >> >> >> >> Pradeep KNS
wrote:
>>> >> >>> >> >> >> >> > Hi,
>>> >> >>> >> >> >> >> > I have
installed an ipa with internal dns.After
>>> >> installing
>>> >> >>> >> updated
>>> >> >>> >> >> >> >> > entries on
dns as well.
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > My main
criteria is to communicate with ipa
clients
>>> with
>>> >> ssh
>>> >> >>> >> >> keybased
>>> >> >>> >> >> >> >> >
authentication which is working fine.
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > Today i tot
of i want to test with password based
>>> >> >>> authentication
>>> >> >>> >> >> which
>>> >> >>> >> >> >> >> > is not
happening.I dont know where i am missing
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> >
[root(a)example.com <mailto:root@example.com>]# ipa
>>> >> --version
>>> >> >>> >> >> >> >> > VERSION:
4.10.1, API_VERSION: 2.251
>>> >> >>> >> >> >> >> >
[root(a)example.com <mailto:root@example.com>]#
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> >
********************** PREVIOUS MESSAGE WAS
>>> TRIGGERED BY
>>> >> THE
>>> >> >>> >> >> FOLLOWING
>>> >> >>> >> >> >> >> > BACKTRACE:
>>> >> >>> >> >> >> >> > *
(2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> [tgt_req_child]
>>> >> >>> >> >> >> >> > (0x1000):
[RID#15] Password was expired
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> The user's
password is expired.
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> IPA intends that
only the end-user knows their
>>> password. So
>>> >> >>> if it
>>> >> >>> >> is
>>> >> >>> >> >> set
>>> >> >>> >> >> >> >> or reset by an
administrator the user will need to
>>> change
>>> >> it.
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> Is the user not
prompted to reset it?
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> rob
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >> > *
(2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> >> >> [sss_krb5_responder]
>>> >> >>> >> >> >> >> > (0x4000):
[RID#15] Got question [password].
>>> >> >>> >> >> >> >> > *
(2023-11-23 19:33:16): [krb5_child[11588]]
>>> >> >>> >> [map_krb5_error]
>>> >> >>> >> >> >> >> > (0x0020):
[RID#15] 2138: [-1765328324][Generic
error
>>> (see
>>> >> >>> >> e-text)]
>>> >> >>> >> >> >> >> >
********************** BACKTRACE DUMP ENDS HERE
>>> >> >>> >> >> >> >> >
*********************************
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > ssh log
>>> >> >>> >> >> >> >> >
>>> >> >>> >> >> >> >> > Nov 23
19:33:16
test-example.com <
>>> >>
http://test-example.com>
>>> >> >>> >> >> >> sshd[11586]:
>>> >> >>> >> >> >> >> >
pam_sss(sshd:auth): authentication failure;
logname=
>>> >> uid=0
>>> >> >>> >> euid=0
>>> >> >>> >> >> >> >> > tty=ssh
ruser= rhost=10.10.1.1 user=harsh
>>> >> >>> >> >> >> >> > Nov 23
19:33:16
test-example.com <
>>> >>
http://test-example.com>
>>> >> >>> >> >> >> sshd[11586]:
>>> >> >>> >> >> >> >> >
pam_sss(sshd:auth): received for user harsh: 4
>>> (System
>>> >> >>> error)
>>> >> >>> >> >> >> >> > Nov 23
19:33:18test-example.com <
>>> >>
http://18test-example.com>
>>> >> >>> >> >> >> sshd[11584]:
>>> >> >>> >> >> >> >> > error: PAM:
Authentication failure for harsh from
>>> >> 10.10.1.1
>>> >> >>> >> >> >> >> > Nov 23
19:33:20
test-example.com <
>>> >>
http://test-example.com>
>>> >> >>> >> >> >> sshd[11584]:
>>> >> >>> >> >> >> >> > Connection
closed by authenticating user harsh
>>> 10.10.1.1
>>> >> >>> port
>>> >> >>> >> 47724
>>> >> >>> >> >> >> >> > [preauth]
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >> >> --
>>> >> >>> >> >> >> / Alexander Bokovoy
>>> >> >>> >> >> >> Sr. Principal Software
Engineer
>>> >> >>> >> >> >> Security / Identity
Management Engineering
>>> >> >>> >> >> >> Red Hat Limited, Finland
>>> >> >>> >> >> >>
>>> >> >>> >> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >> >> --
>>> >> >>> >> >> / Alexander Bokovoy
>>> >> >>> >> >> Sr. Principal Software Engineer
>>> >> >>> >> >> Security / Identity Management
Engineering
>>> >> >>> >> >> Red Hat Limited, Finland
>>> >> >>> >> >>
>>> >> >>> >> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >> --
>>> >> >>> >> / Alexander Bokovoy
>>> >> >>> >> Sr. Principal Software Engineer
>>> >> >>> >> Security / Identity Management Engineering
>>> >> >>> >> Red Hat Limited, Finland
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> --
>>> >> >>> / Alexander Bokovoy
>>> >> >>> Sr. Principal Software Engineer
>>> >> >>> Security / Identity Management Engineering
>>> >> >>> Red Hat Limited, Finland
>>> >> >>>
>>> >> >>>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> / Alexander Bokovoy
>>> >> Sr. Principal Software Engineer
>>> >> Security / Identity Management Engineering
>>> >> Red Hat Limited, Finland
>>> >>
>>> >>
>>>
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>> Sr. Principal Software Engineer
>>> Security / Identity Management Engineering
>>> Red Hat Limited, Finland
>>>
>>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland