Please don't drop mailing list. On Аўт, 28 ліс 2023, Pradeep KNS wrote: >Hey Alexander, > >Thanks For the Reply. > >But in my case i have fixed it by recreating the user on Ipa web UI and >observing ipantuserattrs created password logins are working fine. > >But do I face any issues if I try to modify the base id range manually? as >per redhat docs which is not recommended to modify. If you have re-created your user and that new one works, it means underlying infrastructure works properly. Older user entries need to be fixed. Preferrably through a new ID range, if those entries use IDs which are outside of the main ID range. > >Also on ipa 4.11 they support dedicated ssh key based >authentication.Ofcourse now also its working. > >My setup is that I have internal dns which is handled by a puppet and >slowly will move it to a dedicated internal dns server so that's why i >opted for ipa installation without dns. > >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; >wrote: > >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: >> >Hi Rob, >> >Thank you for your email. I've identified the issue. >> >When attempting to create a user using the 'ipa user-add' command and >> >defining the UID and GID according to my specifications, the UID falls >> >within the 4-digit range, for instance, 4141. The >> >IPA IDs range during installation was set to 770000. Users created within >> >this range are accepted with their passwords. However, users created with >> >UIDs like 4141 or 4142 encounter issues. >> > >> >Looks like attributes, were not creating >> > >> >objectclass: top, person, organizationalperson, inetorgperson, inetuser, >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs >> > >> >If i mention uid and gid using ipa user-add command >> >ipantuserattrs is not getting create. >> > >> >I tried to modify default range but it dint happened. >> >> See my answers in a parallel thread 'kinit fails on freeipa master: File >> or directory not found'. >> >> > >> > >> > >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <rcritten(a)redhat.com&gt; >> wrote: >> > >> >> Pradeep KNS wrote: >> >> > Hi, >> >> > I have installed an ipa with internal dns.After installing updated >> >> > entries on dns as well. >> >> > >> >> > My main criteria is to communicate with ipa clients with ssh keybased >> >> > authentication which is working fine. >> >> > >> >> > Today i tot of i want to test with password based authentication which >> >> > is not happening.I dont know where i am missing >> >> > >> >> > >> >> > [root(a)example.com <mailto:root@example.com>]# ipa --version >> >> > VERSION: 4.10.1, API_VERSION: 2.251 >> >> > [root(a)example.com <mailto:root@example.com>]# >> >> > >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING >> >> > BACKTRACE: >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child] >> >> > (0x1000): [RID#15] Password was expired >> >> >> >> The user's password is expired. >> >> >> >> IPA intends that only the end-user knows their password. So if it is set >> >> or reset by an administrator the user will need to change it. >> >> >> >> Is the user not prompted to reset it? >> >> >> >> rob >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [sss_krb5_responder] >> >> > (0x4000): [RID#15] Got question [password]. >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error] >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see e-text)] >> >> > ********************** BACKTRACE DUMP ENDS HERE >> >> > ********************************* >> >> > >> >> > ssh log >> >> > >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> sshd[11586]: >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> sshd[11586]: >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error) >> >> > Nov 23 19:33:18test-example.com <http://18test-example.com> >> sshd[11584]: >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1 >> >> > Nov 23 19:33:20 test-example.com <http://test-example.com> >> sshd[11584]: >> >> > Connection closed by authenticating user harsh 10.10.1.1 port 47724 >> >> > [preauth] >> >> >> >> >> >> >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

On Аўт, 28 ліс 2023, Pradeep KNS wrote: >Yeah, >But my default id range starts with 770000 but all my existing >infrastructure uid's are within 4 digits like 4147,8921,9756 like this. >Here I am facing an issue. > >That's why I am creating users with default id range and then later I am >modifying it via uid's as per my infrastructure then ipantuserattrs created >and I am able to authenticate with password. This is wrong. > >Can you suggest to me that with this setup i can easily handle 350Users for >around 400 servers across different different locations with cache of >storing on ipa clients. As I already said in other threads, create additional ID range that covers your 4-digit IDs, then re-run SID generation to make sure those users get proper SIDs. This is covered in the KCS. > >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; >wrote: > >> Please don't drop mailing list. >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >Hey Alexander, >> > >> >Thanks For the Reply. >> > >> >But in my case i have fixed it by recreating the user on Ipa web UI and >> >observing ipantuserattrs created password logins are working fine. >> > >> >But do I face any issues if I try to modify the base id range manually? as >> >per redhat docs which is not recommended to modify. >> >> If you have re-created your user and that new one works, it means >> underlying infrastructure works properly. Older user entries need to be >> fixed. Preferrably through a new ID range, if those entries use IDs >> which are outside of the main ID range. >> >> > >> >Also on ipa 4.11 they support dedicated ssh key based >> >authentication.Ofcourse now also its working. >> > >> >My setup is that I have internal dns which is handled by a puppet and >> >slowly will move it to a dedicated internal dns server so that's why i >> >opted for ipa installation without dns. >> > >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <abokovoy(a)redhat.com > >> >wrote: >> > >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: >> >> >Hi Rob, >> >> >Thank you for your email. I've identified the issue. >> >> >When attempting to create a user using the 'ipa user-add' command and >> >> >defining the UID and GID according to my specifications, the UID falls >> >> >within the 4-digit range, for instance, 4141. The >> >> >IPA IDs range during installation was set to 770000. Users created >> within >> >> >this range are accepted with their passwords. However, users created >> with >> >> >UIDs like 4141 or 4142 encounter issues. >> >> > >> >> >Looks like attributes, were not creating >> >> > >> >> >objectclass: top, person, organizationalperson, inetorgperson, >> inetuser, >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, >> ipasshuser, >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs >> >> > >> >> >If i mention uid and gid using ipa user-add command >> >> >ipantuserattrs is not getting create. >> >> > >> >> >I tried to modify default range but it dint happened. >> >> >> >> See my answers in a parallel thread 'kinit fails on freeipa master: File >> >> or directory not found'. >> >> >> >> > >> >> > >> >> > >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <rcritten(a)redhat.com > >> >> wrote: >> >> > >> >> >> Pradeep KNS wrote: >> >> >> > Hi, >> >> >> > I have installed an ipa with internal dns.After installing updated >> >> >> > entries on dns as well. >> >> >> > >> >> >> > My main criteria is to communicate with ipa clients with ssh >> keybased >> >> >> > authentication which is working fine. >> >> >> > >> >> >> > Today i tot of i want to test with password based authentication >> which >> >> >> > is not happening.I dont know where i am missing >> >> >> > >> >> >> > >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa --version >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 >> >> >> > [root(a)example.com <mailto:root@example.com>]# >> >> >> > >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >> FOLLOWING >> >> >> > BACKTRACE: >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child] >> >> >> > (0x1000): [RID#15] Password was expired >> >> >> >> >> >> The user's password is expired. >> >> >> >> >> >> IPA intends that only the end-user knows their password. So if it is >> set >> >> >> or reset by an administrator the user will need to change it. >> >> >> >> >> >> Is the user not prompted to reset it? >> >> >> >> >> >> rob >> >> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> [sss_krb5_responder] >> >> >> > (0x4000): [RID#15] Got question [password]. >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error] >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see e-text)] >> >> >> > ********************** BACKTRACE DUMP ENDS HERE >> >> >> > ********************************* >> >> >> > >> >> >> > ssh log >> >> >> > >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> sshd[11586]: >> >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> sshd[11586]: >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error) >> >> >> > Nov 23 19:33:18test-example.com <http://18test-example.com> >> >> sshd[11584]: >> >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1 >> >> >> > Nov 23 19:33:20 test-example.com <http://test-example.com> >> >> sshd[11584]: >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 port 47724 >> >> >> > [preauth] >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> / Alexander Bokovoy >> >> Sr. Principal Software Engineer >> >> Security / Identity Management Engineering >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

On Аўт, 28 ліс 2023, Pradeep KNS wrote: >Could you please help me with those threads here to regenerate sid’s. https://access.redhat.com/articles/7027037 > > >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <abokovoy(a)redhat.com&gt; >wrote: > >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >Yeah, >> >But my default id range starts with 770000 but all my existing >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like this. >> >Here I am facing an issue. >> > >> >That's why I am creating users with default id range and then later I am >> >modifying it via uid's as per my infrastructure then ipantuserattrs >> created >> >and I am able to authenticate with password. >> >> This is wrong. >> >> > >> >Can you suggest to me that with this setup i can easily handle 350Users >> for >> >around 400 servers across different different locations with cache of >> >storing on ipa clients. >> >> As I already said in other threads, create additional ID range that >> covers your 4-digit IDs, then re-run SID generation to make sure those >> users get proper SIDs. >> >> This is covered in the KCS. >> >> > >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy <abokovoy(a)redhat.com > >> >wrote: >> > >> >> Please don't drop mailing list. >> >> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >> >Hey Alexander, >> >> > >> >> >Thanks For the Reply. >> >> > >> >> >But in my case i have fixed it by recreating the user on Ipa web UI and >> >> >observing ipantuserattrs created password logins are working fine. >> >> > >> >> >But do I face any issues if I try to modify the base id range >> manually? as >> >> >per redhat docs which is not recommended to modify. >> >> >> >> If you have re-created your user and that new one works, it means >> >> underlying infrastructure works properly. Older user entries need to be >> >> fixed. Preferrably through a new ID range, if those entries use IDs >> >> which are outside of the main ID range. >> >> >> >> > >> >> >Also on ipa 4.11 they support dedicated ssh key based >> >> >authentication.Ofcourse now also its working. >> >> > >> >> >My setup is that I have internal dns which is handled by a puppet and >> >> >slowly will move it to a dedicated internal dns server so that's why i >> >> >opted for ipa installation without dns. >> >> > >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < abokovoy(a)redhat.com >> > >> >> >wrote: >> >> > >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: >> >> >> >Hi Rob, >> >> >> >Thank you for your email. I've identified the issue. >> >> >> >When attempting to create a user using the 'ipa user-add' command >> and >> >> >> >defining the UID and GID according to my specifications, the UID >> falls >> >> >> >within the 4-digit range, for instance, 4141. The >> >> >> >IPA IDs range during installation was set to 770000. Users created >> >> within >> >> >> >this range are accepted with their passwords. However, users created >> >> with >> >> >> >UIDs like 4141 or 4142 encounter issues. >> >> >> > >> >> >> >Looks like attributes, were not creating >> >> >> > >> >> >> >objectclass: top, person, organizationalperson, inetorgperson, >> >> inetuser, >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, >> >> ipasshuser, >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs >> >> >> > >> >> >> >If i mention uid and gid using ipa user-add command >> >> >> >ipantuserattrs is not getting create. >> >> >> > >> >> >> >I tried to modify default range but it dint happened. >> >> >> >> >> >> See my answers in a parallel thread 'kinit fails on freeipa master: >> File >> >> >> or directory not found'. >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < rcritten(a)redhat.com >> > >> >> >> wrote: >> >> >> > >> >> >> >> Pradeep KNS wrote: >> >> >> >> > Hi, >> >> >> >> > I have installed an ipa with internal dns.After installing >> updated >> >> >> >> > entries on dns as well. >> >> >> >> > >> >> >> >> > My main criteria is to communicate with ipa clients with ssh >> >> keybased >> >> >> >> > authentication which is working fine. >> >> >> >> > >> >> >> >> > Today i tot of i want to test with password based authentication >> >> which >> >> >> >> > is not happening.I dont know where i am missing >> >> >> >> > >> >> >> >> > >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa --version >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# >> >> >> >> > >> >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >> >> FOLLOWING >> >> >> >> > BACKTRACE: >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child] >> >> >> >> > (0x1000): [RID#15] Password was expired >> >> >> >> >> >> >> >> The user's password is expired. >> >> >> >> >> >> >> >> IPA intends that only the end-user knows their password. So if it >> is >> >> set >> >> >> >> or reset by an administrator the user will need to change it. >> >> >> >> >> >> >> >> Is the user not prompted to reset it? >> >> >> >> >> >> >> >> rob >> >> >> >> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> >> [sss_krb5_responder] >> >> >> >> > (0x4000): [RID#15] Got question [password]. >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> [map_krb5_error] >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see >> e-text)] >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE >> >> >> >> > ********************************* >> >> >> >> > >> >> >> >> > ssh log >> >> >> >> > >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> >> sshd[11586]: >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 >> euid=0 >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> >> sshd[11586]: >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error) >> >> >> >> > Nov 23 19:33:18test-example.com <http://18test-example.com> >> >> >> sshd[11584]: >> >> >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1 >> >> >> >> > Nov 23 19:33:20 test-example.com <http://test-example.com> >> >> >> sshd[11584]: >> >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 port >> 47724 >> >> >> >> > [preauth] >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> / Alexander Bokovoy >> >> >> Sr. Principal Software Engineer >> >> >> Security / Identity Management Engineering >> >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> / Alexander Bokovoy >> >> Sr. Principal Software Engineer >> >> Security / Identity Management Engineering >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Alexander, Thanks for that document.Bit of that i did it but it dint worked looks like i might followed some wrong steps. My default id range mentioned below ipa idrange-find --all --raw ---------------- 2 ranges matched ---------------- dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX cn: REALM_id_range ipabaseid: 771000000 ipaidrangesize: 200000 ipabaserid: 1000 ipasecondarybaserid: 100000000 iparangetype: ipa-local objectclass: top objectclass: ipaIDrange objectclass: ipaDomainIDRange dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX cn: REALM_subid_range ipabaseid: 2147483648 ipaidrangesize: 2147352576 ipabaserid: 2147283648 ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 iparangetype: ipa-ad-trust objectclass: top objectclass: ipaIDrange objectclass: ipaTrustedADDomainRange ################################## Manually created ID range [root@ipa-mum1 ~]# ipa idrange-find --all --raw ---------------- 3 ranges matched ---------------- dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX cn: REALM_id_new_range ipabaseid: 1000 ipaidrangesize: 200000 iparangetype: ipa-local objectclass: ipaIDrange objectclass: ipadomainidrange

Then i created the user name called test user post it dint created expected user attribute root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189 --gidnumber=4141 --password root@ipa ~]# ipa user-show testuser --all dn: uid=testuser,cn=users,cn=accounts,dc=real User login: testuser First name: Test Last name: User Full name: Test User Display name: Testuser Initials: TU Home directory: /home/testuser GECOS: Test User Login shell: /bin/bash Principal name: testuser(a)REALM.COM Principal alias: testuser(a)REALM.COM User password expiration: 20231124144147Z UID: 5189 GID: 4141 Account disabled: False Preserved user: False Password: True Member of groups: ipausers Kerberos keys available: True ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= krblastadminunlock: 20231124144147Z krblastpwdchange: 20231124144147Z krbloginfailedcount: 0 mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry The above method followed but after creating another id range manually, I don't know where I missed post creation of ranges, for somehow it didn't work. That's why I followed that generic method creating users and modifying it manually. PLease suggest me. On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com&gt; wrote: > Thanks will go through it. > > On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; > wrote: > >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >Could you please help me with those threads here to regenerate sid’s. >> >> https://access.redhat.com/articles/7027037 >> >> > >> > >> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy <abokovoy(a)redhat.com&gt; >> >wrote: >> > >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >> >Yeah, >> >> >But my default id range starts with 770000 but all my existing >> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like >> this. >> >> >Here I am facing an issue. >> >> > >> >> >That's why I am creating users with default id range and then later I >> am >> >> >modifying it via uid's as per my infrastructure then ipantuserattrs >> >> created >> >> >and I am able to authenticate with password. >> >> >> >> This is wrong. >> >> >> >> > >> >> >Can you suggest to me that with this setup i can easily handle >> 350Users >> >> for >> >> >around 400 servers across different different locations with cache of >> >> >storing on ipa clients. >> >> >> >> As I already said in other threads, create additional ID range that >> >> covers your 4-digit IDs, then re-run SID generation to make sure those >> >> users get proper SIDs. >> >> >> >> This is covered in the KCS. >> >> >> >> > >> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < >> abokovoy(a)redhat.com&gt; >> >> >wrote: >> >> > >> >> >> Please don't drop mailing list. >> >> >> >> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >> >> >> >Hey Alexander, >> >> >> > >> >> >> >Thanks For the Reply. >> >> >> > >> >> >> >But in my case i have fixed it by recreating the user on Ipa web >> UI and >> >> >> >observing ipantuserattrs created password logins are working fine. >> >> >> > >> >> >> >But do I face any issues if I try to modify the base id range >> >> manually? as >> >> >> >per redhat docs which is not recommended to modify. >> >> >> >> >> >> If you have re-created your user and that new one works, it means >> >> >> underlying infrastructure works properly. Older user entries need >> to be >> >> >> fixed. Preferrably through a new ID range, if those entries use IDs >> >> >> which are outside of the main ID range. >> >> >> >> >> >> > >> >> >> >Also on ipa 4.11 they support dedicated ssh key based >> >> >> >authentication.Ofcourse now also its working. >> >> >> > >> >> >> >My setup is that I have internal dns which is handled by a puppet >> and >> >> >> >slowly will move it to a dedicated internal dns server so that's >> why i >> >> >> >opted for ipa installation without dns. >> >> >> > >> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < >> abokovoy(a)redhat.com >> >> > >> >> >> >wrote: >> >> >> > >> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: >> >> >> >> >Hi Rob, >> >> >> >> >Thank you for your email. I've identified the issue. >> >> >> >> >When attempting to create a user using the 'ipa user-add' >> command >> >> and >> >> >> >> >defining the UID and GID according to my specifications, the UID >> >> falls >> >> >> >> >within the 4-digit range, for instance, 4141. The >> >> >> >> >IPA IDs range during installation was set to 770000. Users >> created >> >> >> within >> >> >> >> >this range are accepted with their passwords. However, users >> created >> >> >> with >> >> >> >> >UIDs like 4141 or 4142 encounter issues. >> >> >> >> > >> >> >> >> >Looks like attributes, were not creating >> >> >> >> > >> >> >> >> >objectclass: top, person, organizationalperson, inetorgperson, >> >> >> inetuser, >> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, >> >> >> ipasshuser, >> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs >> >> >> >> > >> >> >> >> >If i mention uid and gid using ipa user-add command >> >> >> >> >ipantuserattrs is not getting create. >> >> >> >> > >> >> >> >> >I tried to modify default range but it dint happened. >> >> >> >> >> >> >> >> See my answers in a parallel thread 'kinit fails on freeipa >> master: >> >> File >> >> >> >> or directory not found'. >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < >> rcritten(a)redhat.com >> >> > >> >> >> >> wrote: >> >> >> >> > >> >> >> >> >> Pradeep KNS wrote: >> >> >> >> >> > Hi, >> >> >> >> >> > I have installed an ipa with internal dns.After installing >> >> updated >> >> >> >> >> > entries on dns as well. >> >> >> >> >> > >> >> >> >> >> > My main criteria is to communicate with ipa clients with ssh >> >> >> keybased >> >> >> >> >> > authentication which is working fine. >> >> >> >> >> > >> >> >> >> >> > Today i tot of i want to test with password based >> authentication >> >> >> which >> >> >> >> >> > is not happening.I dont know where i am missing >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa --version >> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 >> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# >> >> >> >> >> > >> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >> >> >> FOLLOWING >> >> >> >> >> > BACKTRACE: >> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> [tgt_req_child] >> >> >> >> >> > (0x1000): [RID#15] Password was expired >> >> >> >> >> >> >> >> >> >> The user's password is expired. >> >> >> >> >> >> >> >> >> >> IPA intends that only the end-user knows their password. So >> if it >> >> is >> >> >> set >> >> >> >> >> or reset by an administrator the user will need to change it. >> >> >> >> >> >> >> >> >> >> Is the user not prompted to reset it? >> >> >> >> >> >> >> >> >> >> rob >> >> >> >> >> >> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> >> >> [sss_krb5_responder] >> >> >> >> >> > (0x4000): [RID#15] Got question [password]. >> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >> >> [map_krb5_error] >> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see >> >> e-text)] >> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE >> >> >> >> >> > ********************************* >> >> >> >> >> > >> >> >> >> >> > ssh log >> >> >> >> >> > >> >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> >> >> sshd[11586]: >> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 >> >> euid=0 >> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh >> >> >> >> >> > Nov 23 19:33:16 test-example.com <http://test-example.com> >> >> >> >> sshd[11586]: >> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System >> error) >> >> >> >> >> > Nov 23 19:33:18test-example.com <http://18test-example.com> >> >> >> >> sshd[11584]: >> >> >> >> >> > error: PAM: Authentication failure for harsh from 10.10.1.1 >> >> >> >> >> > Nov 23 19:33:20 test-example.com <http://test-example.com> >> >> >> >> sshd[11584]: >> >> >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 >> port >> >> 47724 >> >> >> >> >> > [preauth] >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> / Alexander Bokovoy >> >> >> >> Sr. Principal Software Engineer >> >> >> >> Security / Identity Management Engineering >> >> >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> / Alexander Bokovoy >> >> >> Sr. Principal Software Engineer >> >> >> Security / Identity Management Engineering >> >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> / Alexander Bokovoy >> >> Sr. Principal Software Engineer >> >> Security / Identity Management Engineering >> >> Red Hat Limited, Finland >> >> >> >> >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >>

ok but in my case i don't use AD,Windows authentication or replica etc, just the centralised authentication system all are redhat os installed servers. In this case also i need to create a base RID?

On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote: > On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >Alexander, > > > >Thanks for that document.Bit of that i did it but it dint worked looks > like > >i might followed some wrong steps. > > > >My default id range mentioned below > >ipa idrange-find --all --raw > >---------------- > >2 ranges matched > >---------------- > > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX > > cn: REALM_id_range > > ipabaseid: 771000000 > > ipaidrangesize: 200000 > > ipabaserid: 1000 > > ipasecondarybaserid: 100000000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX > > cn: REALM_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2147283648 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > > > >################################## > >Manually created ID range > > > >[root@ipa-mum1 ~]# ipa idrange-find --all --raw > >---------------- > >3 ranges matched > >---------------- > > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX > > cn: REALM_id_new_range > > ipabaseid: 1000 > > ipaidrangesize: 200000 > > iparangetype: ipa-local > > objectclass: ipaIDrange > > objectclass: ipadomainidrange > > You created a new ID range but this range has no RID bases. Therefore, > the range cannot be used for SID assignment. > > The KCS article has a section about RID bases and how to choose them, > please follow that. > > > > >Then i created the user name called test user post it dint created > expected > >user attribute > > > >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189 > >--gidnumber=4141 --password > >root@ipa ~]# ipa user-show testuser --all > > dn: uid=testuser,cn=users,cn=accounts,dc=real > > User login: testuser > > First name: Test > > Last name: User > > Full name: Test User > > Display name: Testuser > > Initials: TU > > Home directory: /home/testuser > > GECOS: Test User > > Login shell: /bin/bash > > Principal name: testuser(a)REALM.COM > > Principal alias: testuser(a)REALM.COM > > User password expiration: 20231124144147Z > > UID: 5189 > > GID: 4141 > > Account disabled: False > > Preserved user: False > > Password: True > > Member of groups: ipausers > > Kerberos keys available: True > > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 > > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= > > krblastadminunlock: 20231124144147Z > > krblastpwdchange: 20231124144147Z > > krbloginfailedcount: 0 > > mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com > > objectclass: top, person, organizationalperson, inetorgperson, inetuser, > >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, > >ipaSshGroupOfPubKeys, mepOriginEntry > > > >The above method followed but after creating another id range manually, I > >don't know where I missed post creation of ranges, for somehow it didn't > >work. That's why I followed that generic method creating users and > >modifying it manually. > >PLease suggest me. > > > >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com&gt; > >wrote: > > > >> Thanks will go through it. > >> > >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; > >> wrote: > >> > >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >Could you please help me with those threads here to regenerate sid’s. > >>> > >>> https://access.redhat.com/articles/7027037 > >>> > >>> > > >>> > > >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy < > abokovoy(a)redhat.com&gt; > >>> >wrote: > >>> > > >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >Yeah, > >>> >> >But my default id range starts with 770000 but all my existing > >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 like > >>> this. > >>> >> >Here I am facing an issue. > >>> >> > > >>> >> >That's why I am creating users with default id range and then > later I > >>> am > >>> >> >modifying it via uid's as per my infrastructure then ipantuserattrs > >>> >> created > >>> >> >and I am able to authenticate with password. > >>> >> > >>> >> This is wrong. > >>> >> > >>> >> > > >>> >> >Can you suggest to me that with this setup i can easily handle > >>> 350Users > >>> >> for > >>> >> >around 400 servers across different different locations with cache > of > >>> >> >storing on ipa clients. > >>> >> > >>> >> As I already said in other threads, create additional ID range that > >>> >> covers your 4-digit IDs, then re-run SID generation to make sure > those > >>> >> users get proper SIDs. > >>> >> > >>> >> This is covered in the KCS. > >>> >> > >>> >> > > >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < > >>> abokovoy(a)redhat.com&gt; > >>> >> >wrote: > >>> >> > > >>> >> >> Please don't drop mailing list. > >>> >> >> > >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >>> >> >> >Hey Alexander, > >>> >> >> > > >>> >> >> >Thanks For the Reply. > >>> >> >> > > >>> >> >> >But in my case i have fixed it by recreating the user on Ipa web > >>> UI and > >>> >> >> >observing ipantuserattrs created password logins are working > fine. > >>> >> >> > > >>> >> >> >But do I face any issues if I try to modify the base id range > >>> >> manually? as > >>> >> >> >per redhat docs which is not recommended to modify. > >>> >> >> > >>> >> >> If you have re-created your user and that new one works, it means > >>> >> >> underlying infrastructure works properly. Older user entries need > >>> to be > >>> >> >> fixed. Preferrably through a new ID range, if those entries use > IDs > >>> >> >> which are outside of the main ID range. > >>> >> >> > >>> >> >> > > >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based > >>> >> >> >authentication.Ofcourse now also its working. > >>> >> >> > > >>> >> >> >My setup is that I have internal dns which is handled by a > puppet > >>> and > >>> >> >> >slowly will move it to a dedicated internal dns server so that's > >>> why i > >>> >> >> >opted for ipa installation without dns. > >>> >> >> > > >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < > >>> abokovoy(a)redhat.com > >>> >> > > >>> >> >> >wrote: > >>> >> >> > > >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: > >>> >> >> >> >Hi Rob, > >>> >> >> >> >Thank you for your email. I've identified the issue. > >>> >> >> >> >When attempting to create a user using the 'ipa user-add' > >>> command > >>> >> and > >>> >> >> >> >defining the UID and GID according to my specifications, the > UID > >>> >> falls > >>> >> >> >> >within the 4-digit range, for instance, 4141. The > >>> >> >> >> >IPA IDs range during installation was set to 770000. Users > >>> created > >>> >> >> within > >>> >> >> >> >this range are accepted with their passwords. However, users > >>> created > >>> >> >> with > >>> >> >> >> >UIDs like 4141 or 4142 encounter issues. > >>> >> >> >> > > >>> >> >> >> >Looks like attributes, were not creating > >>> >> >> >> > > >>> >> >> >> >objectclass: top, person, organizationalperson, > inetorgperson, > >>> >> >> inetuser, > >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, > >>> >> >> ipasshuser, > >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs > >>> >> >> >> > > >>> >> >> >> >If i mention uid and gid using ipa user-add command > >>> >> >> >> >ipantuserattrs is not getting create. > >>> >> >> >> > > >>> >> >> >> >I tried to modify default range but it dint happened. > >>> >> >> >> > >>> >> >> >> See my answers in a parallel thread 'kinit fails on freeipa > >>> master: > >>> >> File > >>> >> >> >> or directory not found'. > >>> >> >> >> > >>> >> >> >> > > >>> >> >> >> > > >>> >> >> >> > > >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < > >>> rcritten(a)redhat.com > >>> >> > > >>> >> >> >> wrote: > >>> >> >> >> > > >>> >> >> >> >> Pradeep KNS wrote: > >>> >> >> >> >> > Hi, > >>> >> >> >> >> > I have installed an ipa with internal dns.After > installing > >>> >> updated > >>> >> >> >> >> > entries on dns as well. > >>> >> >> >> >> > > >>> >> >> >> >> > My main criteria is to communicate with ipa clients with > ssh > >>> >> >> keybased > >>> >> >> >> >> > authentication which is working fine. > >>> >> >> >> >> > > >>> >> >> >> >> > Today i tot of i want to test with password based > >>> authentication > >>> >> >> which > >>> >> >> >> >> > is not happening.I dont know where i am missing > >>> >> >> >> >> > > >>> >> >> >> >> > > >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa > --version > >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 > >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# > >>> >> >> >> >> > > >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY > THE > >>> >> >> FOLLOWING > >>> >> >> >> >> > BACKTRACE: > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> [tgt_req_child] > >>> >> >> >> >> > (0x1000): [RID#15] Password was expired > >>> >> >> >> >> > >>> >> >> >> >> The user's password is expired. > >>> >> >> >> >> > >>> >> >> >> >> IPA intends that only the end-user knows their password. So > >>> if it > >>> >> is > >>> >> >> set > >>> >> >> >> >> or reset by an administrator the user will need to change > it. > >>> >> >> >> >> > >>> >> >> >> >> Is the user not prompted to reset it? > >>> >> >> >> >> > >>> >> >> >> >> rob > >>> >> >> >> >> > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> >> [sss_krb5_responder] > >>> >> >> >> >> > (0x4000): [RID#15] Got question [password]. > >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >>> >> [map_krb5_error] > >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see > >>> >> e-text)] > >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE > >>> >> >> >> >> > ********************************* > >>> >> >> >> >> > > >>> >> >> >> >> > ssh log > >>> >> >> >> >> > > >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11586]: > >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= > uid=0 > >>> >> euid=0 > >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh > >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11586]: > >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 (System > >>> error) > >>> >> >> >> >> > Nov 23 19:33:18test-example.com < > http://18test-example.com> > >>> >> >> >> sshd[11584]: > >>> >> >> >> >> > error: PAM: Authentication failure for harsh from > 10.10.1.1 > >>> >> >> >> >> > Nov 23 19:33:20 test-example.com < > http://test-example.com> > >>> >> >> >> sshd[11584]: > >>> >> >> >> >> > Connection closed by authenticating user harsh 10.10.1.1 > >>> port > >>> >> 47724 > >>> >> >> >> >> > [preauth] > >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> -- > >>> >> >> >> / Alexander Bokovoy > >>> >> >> >> Sr. Principal Software Engineer > >>> >> >> >> Security / Identity Management Engineering > >>> >> >> >> Red Hat Limited, Finland > >>> >> >> >> > >>> >> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> -- > >>> >> >> / Alexander Bokovoy > >>> >> >> Sr. Principal Software Engineer > >>> >> >> Security / Identity Management Engineering > >>> >> >> Red Hat Limited, Finland > >>> >> >> > >>> >> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> / Alexander Bokovoy > >>> >> Sr. Principal Software Engineer > >>> >> Security / Identity Management Engineering > >>> >> Red Hat Limited, Finland > >>> >> > >>> >> > >>> > >>> > >>> > >>> > >>> -- > >>> / Alexander Bokovoy > >>> Sr. Principal Software Engineer > >>> Security / Identity Management Engineering > >>> Red Hat Limited, Finland > >>> > >>> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >

Thanks a lot and I will Go through it. On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote: > On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >ok but in my case i don't use AD,Windows authentication or replica etc, > >just the centralised authentication system all are redhat os installed > >servers. > >In this case also i need to create a base RID? > > Yes. You keep ignoring my references to previous discussions. > > You will not get it working without proper SIDs because we require PAC > presence to protect against Kerberos impersonation. This is not a > theoretical probability anymore since November 2022 Microsoft security > updates. The same attacks apply to all Kerberos environments and current > way of protecting against them is to utilize MS-PAC buffers with > appropriate signatures and checksums. PAC buffers require use of SIDs to > address objects and that is what we enforce now. > > If you still want to know details, I'd suggest to watch at least the two > talks we gave at SambaXP past few years: > > - "Kerberos" by Andrew Bartlett > > https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Ker... > > - Samba AD / MIT Kerberos: path out of experimental by me and Andreas > > https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schn... > https://youtu.be/0_cdYuIYw0o > > While these talk about Samba AD, the changes went to both Samba and > FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory too). > > So, look at the KCS I gave, understand how to add RID bases to your new > ID range and fix your problem through that. > > > > >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; > >wrote: > > > >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >Alexander, > >> > > >> >Thanks for that document.Bit of that i did it but it dint worked looks > >> like > >> >i might followed some wrong steps. > >> > > >> >My default id range mentioned below > >> >ipa idrange-find --all --raw > >> >---------------- > >> >2 ranges matched > >> >---------------- > >> > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX > >> > cn: REALM_id_range > >> > ipabaseid: 771000000 > >> > ipaidrangesize: 200000 > >> > ipabaserid: 1000 > >> > ipasecondarybaserid: 100000000 > >> > iparangetype: ipa-local > >> > objectclass: top > >> > objectclass: ipaIDrange > >> > objectclass: ipaDomainIDRange > >> > > >> > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX > >> > cn: REALM_subid_range > >> > ipabaseid: 2147483648 > >> > ipaidrangesize: 2147352576 > >> > ipabaserid: 2147283648 > >> > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > >> > iparangetype: ipa-ad-trust > >> > objectclass: top > >> > objectclass: ipaIDrange > >> > objectclass: ipaTrustedADDomainRange > >> > > >> >################################## > >> >Manually created ID range > >> > > >> >[root@ipa-mum1 ~]# ipa idrange-find --all --raw > >> >---------------- > >> >3 ranges matched > >> >---------------- > >> > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX > >> > cn: REALM_id_new_range > >> > ipabaseid: 1000 > >> > ipaidrangesize: 200000 > >> > iparangetype: ipa-local > >> > objectclass: ipaIDrange > >> > objectclass: ipadomainidrange > >> > >> You created a new ID range but this range has no RID bases. Therefore, > >> the range cannot be used for SID assignment. > >> > >> The KCS article has a section about RID bases and how to choose them, > >> please follow that. > >> > >> > > >> >Then i created the user name called test user post it dint created > >> expected > >> >user attribute > >> > > >> >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189 > >> >--gidnumber=4141 --password > >> >root@ipa ~]# ipa user-show testuser --all > >> > dn: uid=testuser,cn=users,cn=accounts,dc=real > >> > User login: testuser > >> > First name: Test > >> > Last name: User > >> > Full name: Test User > >> > Display name: Testuser > >> > Initials: TU > >> > Home directory: /home/testuser > >> > GECOS: Test User > >> > Login shell: /bin/bash > >> > Principal name: testuser(a)REALM.COM > >> > Principal alias: testuser(a)REALM.COM > >> > User password expiration: 20231124144147Z > >> > UID: 5189 > >> > GID: 4141 > >> > Account disabled: False > >> > Preserved user: False > >> > Password: True > >> > Member of groups: ipausers > >> > Kerberos keys available: True > >> > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 > >> > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= > >> > krblastadminunlock: 20231124144147Z > >> > krblastpwdchange: 20231124144147Z > >> > krbloginfailedcount: 0 > >> > mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com > >> > objectclass: top, person, organizationalperson, inetorgperson, > inetuser, > >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, > ipasshuser, > >> >ipaSshGroupOfPubKeys, mepOriginEntry > >> > > >> >The above method followed but after creating another id range > manually, I > >> >don't know where I missed post creation of ranges, for somehow it > didn't > >> >work. That's why I followed that generic method creating users and > >> >modifying it manually. > >> >PLease suggest me. > >> > > >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS < > kns.pradeep(a)alpha-grep.com&gt; > >> >wrote: > >> > > >> >> Thanks will go through it. > >> >> > >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy < > abokovoy(a)redhat.com&gt; > >> >> wrote: > >> >> > >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >>> >Could you please help me with those threads here to regenerate > sid’s. > >> >>> > >> >>> https://access.redhat.com/articles/7027037 > >> >>> > >> >>> > > >> >>> > > >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy < > >> abokovoy(a)redhat.com&gt; > >> >>> >wrote: > >> >>> > > >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >>> >> >Yeah, > >> >>> >> >But my default id range starts with 770000 but all my existing > >> >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 > like > >> >>> this. > >> >>> >> >Here I am facing an issue. > >> >>> >> > > >> >>> >> >That's why I am creating users with default id range and then > >> later I > >> >>> am > >> >>> >> >modifying it via uid's as per my infrastructure then > ipantuserattrs > >> >>> >> created > >> >>> >> >and I am able to authenticate with password. > >> >>> >> > >> >>> >> This is wrong. > >> >>> >> > >> >>> >> > > >> >>> >> >Can you suggest to me that with this setup i can easily handle > >> >>> 350Users > >> >>> >> for > >> >>> >> >around 400 servers across different different locations with > cache > >> of > >> >>> >> >storing on ipa clients. > >> >>> >> > >> >>> >> As I already said in other threads, create additional ID range > that > >> >>> >> covers your 4-digit IDs, then re-run SID generation to make sure > >> those > >> >>> >> users get proper SIDs. > >> >>> >> > >> >>> >> This is covered in the KCS. > >> >>> >> > >> >>> >> > > >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < > >> >>> abokovoy(a)redhat.com&gt; > >> >>> >> >wrote: > >> >>> >> > > >> >>> >> >> Please don't drop mailing list. > >> >>> >> >> > >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: > >> >>> >> >> >Hey Alexander, > >> >>> >> >> > > >> >>> >> >> >Thanks For the Reply. > >> >>> >> >> > > >> >>> >> >> >But in my case i have fixed it by recreating the user on > Ipa web > >> >>> UI and > >> >>> >> >> >observing ipantuserattrs created password logins are working > >> fine. > >> >>> >> >> > > >> >>> >> >> >But do I face any issues if I try to modify the base id > range > >> >>> >> manually? as > >> >>> >> >> >per redhat docs which is not recommended to modify. > >> >>> >> >> > >> >>> >> >> If you have re-created your user and that new one works, it > means > >> >>> >> >> underlying infrastructure works properly. Older user entries > need > >> >>> to be > >> >>> >> >> fixed. Preferrably through a new ID range, if those entries > use > >> IDs > >> >>> >> >> which are outside of the main ID range. > >> >>> >> >> > >> >>> >> >> > > >> >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based > >> >>> >> >> >authentication.Ofcourse now also its working. > >> >>> >> >> > > >> >>> >> >> >My setup is that I have internal dns which is handled by a > >> puppet > >> >>> and > >> >>> >> >> >slowly will move it to a dedicated internal dns server so > that's > >> >>> why i > >> >>> >> >> >opted for ipa installation without dns. > >> >>> >> >> > > >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < > >> >>> abokovoy(a)redhat.com > >> >>> >> > > >> >>> >> >> >wrote: > >> >>> >> >> > > >> >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: > >> >>> >> >> >> >Hi Rob, > >> >>> >> >> >> >Thank you for your email. I've identified the issue. > >> >>> >> >> >> >When attempting to create a user using the 'ipa user-add' > >> >>> command > >> >>> >> and > >> >>> >> >> >> >defining the UID and GID according to my specifications, > the > >> UID > >> >>> >> falls > >> >>> >> >> >> >within the 4-digit range, for instance, 4141. The > >> >>> >> >> >> >IPA IDs range during installation was set to 770000. > Users > >> >>> created > >> >>> >> >> within > >> >>> >> >> >> >this range are accepted with their passwords. However, > users > >> >>> created > >> >>> >> >> with > >> >>> >> >> >> >UIDs like 4141 or 4142 encounter issues. > >> >>> >> >> >> > > >> >>> >> >> >> >Looks like attributes, were not creating > >> >>> >> >> >> > > >> >>> >> >> >> >objectclass: top, person, organizationalperson, > >> inetorgperson, > >> >>> >> >> inetuser, > >> >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, > ipaobject, > >> >>> >> >> ipasshuser, > >> >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs > >> >>> >> >> >> > > >> >>> >> >> >> >If i mention uid and gid using ipa user-add command > >> >>> >> >> >> >ipantuserattrs is not getting create. > >> >>> >> >> >> > > >> >>> >> >> >> >I tried to modify default range but it dint happened. > >> >>> >> >> >> > >> >>> >> >> >> See my answers in a parallel thread 'kinit fails on > freeipa > >> >>> master: > >> >>> >> File > >> >>> >> >> >> or directory not found'. > >> >>> >> >> >> > >> >>> >> >> >> > > >> >>> >> >> >> > > >> >>> >> >> >> > > >> >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < > >> >>> rcritten(a)redhat.com > >> >>> >> > > >> >>> >> >> >> wrote: > >> >>> >> >> >> > > >> >>> >> >> >> >> Pradeep KNS wrote: > >> >>> >> >> >> >> > Hi, > >> >>> >> >> >> >> > I have installed an ipa with internal dns.After > >> installing > >> >>> >> updated > >> >>> >> >> >> >> > entries on dns as well. > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > My main criteria is to communicate with ipa clients > with > >> ssh > >> >>> >> >> keybased > >> >>> >> >> >> >> > authentication which is working fine. > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > Today i tot of i want to test with password based > >> >>> authentication > >> >>> >> >> which > >> >>> >> >> >> >> > is not happening.I dont know where i am missing > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa > >> --version > >> >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 > >> >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS > TRIGGERED BY > >> THE > >> >>> >> >> FOLLOWING > >> >>> >> >> >> >> > BACKTRACE: > >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >> >>> [tgt_req_child] > >> >>> >> >> >> >> > (0x1000): [RID#15] Password was expired > >> >>> >> >> >> >> > >> >>> >> >> >> >> The user's password is expired. > >> >>> >> >> >> >> > >> >>> >> >> >> >> IPA intends that only the end-user knows their > password. So > >> >>> if it > >> >>> >> is > >> >>> >> >> set > >> >>> >> >> >> >> or reset by an administrator the user will need to > change > >> it. > >> >>> >> >> >> >> > >> >>> >> >> >> >> Is the user not prompted to reset it? > >> >>> >> >> >> >> > >> >>> >> >> >> >> rob > >> >>> >> >> >> >> > >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >> >>> >> >> [sss_krb5_responder] > >> >>> >> >> >> >> > (0x4000): [RID#15] Got question [password]. > >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] > >> >>> >> [map_krb5_error] > >> >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error > (see > >> >>> >> e-text)] > >> >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE > >> >>> >> >> >> >> > ********************************* > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > ssh log > >> >>> >> >> >> >> > > >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > >> http://test-example.com> > >> >>> >> >> >> sshd[11586]: > >> >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= > >> uid=0 > >> >>> >> euid=0 > >> >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh > >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < > >> http://test-example.com> > >> >>> >> >> >> sshd[11586]: > >> >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 > (System > >> >>> error) > >> >>> >> >> >> >> > Nov 23 19:33:18test-example.com < > >> http://18test-example.com> > >> >>> >> >> >> sshd[11584]: > >> >>> >> >> >> >> > error: PAM: Authentication failure for harsh from > >> 10.10.1.1 > >> >>> >> >> >> >> > Nov 23 19:33:20 test-example.com < > >> http://test-example.com> > >> >>> >> >> >> sshd[11584]: > >> >>> >> >> >> >> > Connection closed by authenticating user harsh > 10.10.1.1 > >> >>> port > >> >>> >> 47724 > >> >>> >> >> >> >> > [preauth] > >> >>> >> >> >> >> > >> >>> >> >> >> >> > >> >>> >> >> >> >> > >> >>> >> >> >> > >> >>> >> >> >> > >> >>> >> >> >> > >> >>> >> >> >> > >> >>> >> >> >> -- > >> >>> >> >> >> / Alexander Bokovoy > >> >>> >> >> >> Sr. Principal Software Engineer > >> >>> >> >> >> Security / Identity Management Engineering > >> >>> >> >> >> Red Hat Limited, Finland > >> >>> >> >> >> > >> >>> >> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> -- > >> >>> >> >> / Alexander Bokovoy > >> >>> >> >> Sr. Principal Software Engineer > >> >>> >> >> Security / Identity Management Engineering > >> >>> >> >> Red Hat Limited, Finland > >> >>> >> >> > >> >>> >> >> > >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> -- > >> >>> >> / Alexander Bokovoy > >> >>> >> Sr. Principal Software Engineer > >> >>> >> Security / Identity Management Engineering > >> >>> >> Red Hat Limited, Finland > >> >>> >> > >> >>> >> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> / Alexander Bokovoy > >> >>> Sr. Principal Software Engineer > >> >>> Security / Identity Management Engineering > >> >>> Red Hat Limited, Finland > >> >>> > >> >>> > >> > >> > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >

On Пят, 01 сне 2023, Pradeep KNS wrote: >Hey Alexander, > >I have tried installing a new IPA server with my expected ranges on my new >site and its working fine.Thanks for the document. > >I have observed a couple of errors. POSIX ID's 4248,4141,4121,4258..etc. >all are my infra group id's. > > >[30/Nov/2023:05:17:36.931522914 -0500] - ERR - sidgen_task_thread - [file >ipa_sidgen_task.c, line 194]: Sidgen task starts ... >[30/Nov/2023:05:17:36.933841900 -0500] - ERR - sidgen_task_thread - [file >ipa_sidgen_task.c, line 199]: Sidgen task finished [0]. >[30/Nov/2023:05:17:41.443256202 -0500] - ERR - schema-compat-plugin - >warning: no entries set up under ou=sudoers,dc=alpha-grep,dc=com >[30/Nov/2023:05:17:41.449472986 -0500] - ERR - schema-compat-plugin - >warning: no entries set up under cn=ng, cn=compat,dc=alpha-grep,dc=com >[30/Nov/2023:05:17:41.456705946 -0500] - ERR - schema-compat-plugin - >warning: no entries set up under cn=computers, >cn=compat,dc=alpha-grep,dc=com >[30/Nov/2023:05:17:41.457666134 -0500] - ERR - schema-compat-plugin - >Finished plugin initialization. >[30/Nov/2023:05:27:02.337803787 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4141] into >an unused SID. 4141 is below base ID for the only ID range that could be used (starting with 5000). You need to add a range similar to your $REALM_id_range but which covers all these POSIX UID/GIDs. >[30/Nov/2023:05:27:02.338927487 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[30/Nov/2023:06:03:06.173948392 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4121] into >an unused SID. Same here. >[30/Nov/2023:06:03:06.174922473 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[30/Nov/2023:06:22:36.616707461 -0500] - ERR - rid_to_sid_with_check - >[file ipa_sidgen_common.c, line 384]: SID >[S-1-5-21-3258431096-680571367-3483437258-16054] is already used. This SID is already used by some other object. >[30/Nov/2023:06:24:53.185373410 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4258] into >an unused SID. Same here -- 4258 is below 5000. >[30/Nov/2023:06:24:53.186107898 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[30/Nov/2023:07:07:48.738323141 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into >an unused SID. Same here. >[30/Nov/2023:07:07:48.739492958 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[30/Nov/2023:08:10:33.205867886 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into >an unused SID. >[30/Nov/2023:08:10:33.206759596 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[30/Nov/2023:08:33:53.787156179 -0500] - ERR - find_sid_for_ldap_entry - >[file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [4249] into >an unused SID. >[30/Nov/2023:08:33:53.788186638 -0500] - ERR - ipa_sidgen_add_post_op - >[file ipa_sidgen.c, line 149]: Cannot add SID to new entry. >[root@ipa- ~]# > > >[root@ipa-~]# ipa user-show test --all --raw > dn: uid=test,cn=users,cn=accounts,dc=$REAL > uid: test > givenname: test > sn: test > cn: test > initials: TE > homedirectory: /home/test > gecos: Test > loginshell: /bin/bash > krbcanonicalname: test(a)$REALM.COM > krbprincipalname: kpradeep(a)$REALM.COM > uidnumber: 5708 > gidnumber: 4141 > sshpubkeyfp: > nsaccountlock: FALSE > has_password: TRUE > has_keytab: TRUE > displayName: Test > ipaNTSecurityIdentifier: S-1-5-21-3258431096-680571367-3483437258-1708 > ipaSshPubKey: <key> > ipaUniqueID: <id> > krbExtraData: <data> > krbLastAdminUnlock: 20231130174441Z > krbLastPwdChange: 20231130174540Z > krbLoginFailedCount: 0 > krbPasswordExpiration: 20240228174540Z > krbTicketFlags: 128 > memberof: cn=admin,cn=groups,cn=accounts,dc=$real > memberof: cn=ipausers,cn=groups,cn=accounts,dc=$real > memberofindirect: >ipaUniqueID=8c81c2c6-8f6b-11ee-b685-a68c8b95f346,cn=sudorules,cn=sudo,dc=$real > mepManagedEntry: cn=test,cn=groups,cn=accounts,dc=$real > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipantuserattrs > > >[root@ipa- ~]# ipa idrange-find --all --raw >---------------- >2 ranges matched >---------------- > dn: cn=$REALM_id_range,cn=ranges,cn=etc,dc=$real > cn: $REALM_id_range > ipabaseid: 5000 > ipaidrangesize: 1995001 > ipabaserid: 1000 > ipasecondarybaserid: 100000000 > iparangetype: ipa-local > objectclass: top > objectclass: ipaIDrange > objectclass: ipaDomainIDRange > > dn: cn=$REALM_subid_range,cn=ranges,cn=etc,dc=$realm > cn: $REALM_subid_range > ipabaseid: 2147483648 > ipaidrangesize: 2147352576 > ipabaserid: 2145488647 > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 > iparangetype: ipa-ad-trust > objectclass: top > objectclass: ipaIDrange > objectclass: ipaTrustedADDomainRange >---------------------------- >Number of entries returned 2 >---------------------------- >[root@ipa ~]# > >On Tue, Nov 28, 2023 at 4:58 PM Pradeep KNS <kns.pradeep(a)alpha-grep.com&gt; >wrote: > >> Thanks a lot and I will Go through it. >> >> On Tue, Nov 28, 2023 at 4:56 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; >> wrote: >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >>> >ok but in my case i don't use AD,Windows authentication or replica etc, >>> >just the centralised authentication system all are redhat os installed >>> >servers. >>> >In this case also i need to create a base RID? >>> >>> Yes. You keep ignoring my references to previous discussions. >>> >>> You will not get it working without proper SIDs because we require PAC >>> presence to protect against Kerberos impersonation. This is not a >>> theoretical probability anymore since November 2022 Microsoft security >>> updates. The same attacks apply to all Kerberos environments and current >>> way of protecting against them is to utilize MS-PAC buffers with >>> appropriate signatures and checksums. PAC buffers require use of SIDs to >>> address objects and that is what we enforce now. >>> >>> If you still want to know details, I'd suggest to watch at least the two >>> talks we gave at SambaXP past few years: >>> >>> - "Kerberos" by Andrew Bartlett >>> >>> https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Ker... >>> >>> - Samba AD / MIT Kerberos: path out of experimental by me and Andreas >>> >>> https://sambaxp.org/fileadmin/user_upload/sambaxp2023-Slides/Bokovoy_Schn... >>> https://youtu.be/0_cdYuIYw0o >>> >>> While these talk about Samba AD, the changes went to both Samba and >>> FreeIPA, as well as MIT Kerberos (and Microsoft's Active Directory too). >>> >>> So, look at the KCS I gave, understand how to add RID bases to your new >>> ID range and fix your problem through that. >>> >>> > >>> >On Tue, Nov 28, 2023 at 4:30 PM Alexander Bokovoy < abokovoy(a)redhat.com&gt; >>> >wrote: >>> > >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >>> >> >Alexander, >>> >> > >>> >> >Thanks for that document.Bit of that i did it but it dint worked looks >>> >> like >>> >> >i might followed some wrong steps. >>> >> > >>> >> >My default id range mentioned below >>> >> >ipa idrange-find --all --raw >>> >> >---------------- >>> >> >2 ranges matched >>> >> >---------------- >>> >> > dn: cn=REALM_id_range,cn=ranges,cn=etc,dc=$SUFFIX >>> >> > cn: REALM_id_range >>> >> > ipabaseid: 771000000 >>> >> > ipaidrangesize: 200000 >>> >> > ipabaserid: 1000 >>> >> > ipasecondarybaserid: 100000000 >>> >> > iparangetype: ipa-local >>> >> > objectclass: top >>> >> > objectclass: ipaIDrange >>> >> > objectclass: ipaDomainIDRange >>> >> > >>> >> > dn: cn=REALM_subid_range,cn=ranges,cn=etc,dc=SUFFIX >>> >> > cn: REALM_subid_range >>> >> > ipabaseid: 2147483648 >>> >> > ipaidrangesize: 2147352576 >>> >> > ipabaserid: 2147283648 >>> >> > ipanttrusteddomainsid: S-1-5-21-738065-838566-1448868364 >>> >> > iparangetype: ipa-ad-trust >>> >> > objectclass: top >>> >> > objectclass: ipaIDrange >>> >> > objectclass: ipaTrustedADDomainRange >>> >> > >>> >> >################################## >>> >> >Manually created ID range >>> >> > >>> >> >[root@ipa-mum1 ~]# ipa idrange-find --all --raw >>> >> >---------------- >>> >> >3 ranges matched >>> >> >---------------- >>> >> > dn: cn=REALM_id_new_range,cn=ranges,cn=etc,dc=SUFFIX >>> >> > cn: REALM_id_new_range >>> >> > ipabaseid: 1000 >>> >> > ipaidrangesize: 200000 >>> >> > iparangetype: ipa-local >>> >> > objectclass: ipaIDrange >>> >> > objectclass: ipadomainidrange >>> >> >>> >> You created a new ID range but this range has no RID bases. Therefore, >>> >> the range cannot be used for SID assignment. >>> >> >>> >> The KCS article has a section about RID bases and how to choose them, >>> >> please follow that. >>> >> >>> >> > >>> >> >Then i created the user name called test user post it dint created >>> >> expected >>> >> >user attribute >>> >> > >>> >> >root@ipa~]#ipa user-add testuser --first=Test --last=User -uid=5189 >>> >> >--gidnumber=4141 --password >>> >> >root@ipa ~]# ipa user-show testuser --all >>> >> > dn: uid=testuser,cn=users,cn=accounts,dc=real >>> >> > User login: testuser >>> >> > First name: Test >>> >> > Last name: User >>> >> > Full name: Test User >>> >> > Display name: Testuser >>> >> > Initials: TU >>> >> > Home directory: /home/testuser >>> >> > GECOS: Test User >>> >> > Login shell: /bin/bash >>> >> > Principal name: testuser(a)REALM.COM >>> >> > Principal alias: testuser(a)REALM.COM >>> >> > User password expiration: 20231124144147Z >>> >> > UID: 5189 >>> >> > GID: 4141 >>> >> > Account disabled: False >>> >> > Preserved user: False >>> >> > Password: True >>> >> > Member of groups: ipausers >>> >> > Kerberos keys available: True >>> >> > ipauniqueid: 88e7da44-8ad7-11ee-b06e-a68c8b95f346 >>> >> > krbextradata: AAIrtmBlcm9vdC9hZG1pbkBBTFBIQS1HUkVQLkNPTQA= >>> >> > krblastadminunlock: 20231124144147Z >>> >> > krblastpwdchange: 20231124144147Z >>> >> > krbloginfailedcount: 0 >>> >> > mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com >>> >> > objectclass: top, person, organizationalperson, inetorgperson, >>> inetuser, >>> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, >>> ipasshuser, >>> >> >ipaSshGroupOfPubKeys, mepOriginEntry >>> >> > >>> >> >The above method followed but after creating another id range >>> manually, I >>> >> >don't know where I missed post creation of ranges, for somehow it >>> didn't >>> >> >work. That's why I followed that generic method creating users and >>> >> >modifying it manually. >>> >> >PLease suggest me. >>> >> > >>> >> >On Tue, Nov 28, 2023 at 2:56 PM Pradeep KNS < >>> kns.pradeep(a)alpha-grep.com&gt; >>> >> >wrote: >>> >> > >>> >> >> Thanks will go through it. >>> >> >> >>> >> >> On Tue, Nov 28, 2023 at 2:54 PM Alexander Bokovoy < >>> abokovoy(a)redhat.com&gt; >>> >> >> wrote: >>> >> >> >>> >> >>> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >>> >> >>> >Could you please help me with those threads here to regenerate >>> sid’s. >>> >> >>> >>> >> >>> https://access.redhat.com/articles/7027037 >>> >> >>> >>> >> >>> > >>> >> >>> > >>> >> >>> >On Tue, 28 Nov 2023 at 2:27 PM, Alexander Bokovoy < >>> >> abokovoy(a)redhat.com&gt; >>> >> >>> >wrote: >>> >> >>> > >>> >> >>> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >>> >> >>> >> >Yeah, >>> >> >>> >> >But my default id range starts with 770000 but all my existing >>> >> >>> >> >infrastructure uid's are within 4 digits like 4147,8921,9756 >>> like >>> >> >>> this. >>> >> >>> >> >Here I am facing an issue. >>> >> >>> >> > >>> >> >>> >> >That's why I am creating users with default id range and then >>> >> later I >>> >> >>> am >>> >> >>> >> >modifying it via uid's as per my infrastructure then >>> ipantuserattrs >>> >> >>> >> created >>> >> >>> >> >and I am able to authenticate with password. >>> >> >>> >> >>> >> >>> >> This is wrong. >>> >> >>> >> >>> >> >>> >> > >>> >> >>> >> >Can you suggest to me that with this setup i can easily handle >>> >> >>> 350Users >>> >> >>> >> for >>> >> >>> >> >around 400 servers across different different locations with >>> cache >>> >> of >>> >> >>> >> >storing on ipa clients. >>> >> >>> >> >>> >> >>> >> As I already said in other threads, create additional ID range >>> that >>> >> >>> >> covers your 4-digit IDs, then re-run SID generation to make sure >>> >> those >>> >> >>> >> users get proper SIDs. >>> >> >>> >> >>> >> >>> >> This is covered in the KCS. >>> >> >>> >> >>> >> >>> >> > >>> >> >>> >> >On Tue, Nov 28, 2023 at 2:00 PM Alexander Bokovoy < >>> >> >>> abokovoy(a)redhat.com&gt; >>> >> >>> >> >wrote: >>> >> >>> >> > >>> >> >>> >> >> Please don't drop mailing list. >>> >> >>> >> >> >>> >> >>> >> >> On Аўт, 28 ліс 2023, Pradeep KNS wrote: >>> >> >>> >> >> >Hey Alexander, >>> >> >>> >> >> > >>> >> >>> >> >> >Thanks For the Reply. >>> >> >>> >> >> > >>> >> >>> >> >> >But in my case i have fixed it by recreating the user on >>> Ipa web >>> >> >>> UI and >>> >> >>> >> >> >observing ipantuserattrs created password logins are working >>> >> fine. >>> >> >>> >> >> > >>> >> >>> >> >> >But do I face any issues if I try to modify the base id >>> range >>> >> >>> >> manually? as >>> >> >>> >> >> >per redhat docs which is not recommended to modify. >>> >> >>> >> >> >>> >> >>> >> >> If you have re-created your user and that new one works, it >>> means >>> >> >>> >> >> underlying infrastructure works properly. Older user entries >>> need >>> >> >>> to be >>> >> >>> >> >> fixed. Preferrably through a new ID range, if those entries >>> use >>> >> IDs >>> >> >>> >> >> which are outside of the main ID range. >>> >> >>> >> >> >>> >> >>> >> >> > >>> >> >>> >> >> >Also on ipa 4.11 they support dedicated ssh key based >>> >> >>> >> >> >authentication.Ofcourse now also its working. >>> >> >>> >> >> > >>> >> >>> >> >> >My setup is that I have internal dns which is handled by a >>> >> puppet >>> >> >>> and >>> >> >>> >> >> >slowly will move it to a dedicated internal dns server so >>> that's >>> >> >>> why i >>> >> >>> >> >> >opted for ipa installation without dns. >>> >> >>> >> >> > >>> >> >>> >> >> >On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy < >>> >> >>> abokovoy(a)redhat.com >>> >> >>> >> > >>> >> >>> >> >> >wrote: >>> >> >>> >> >> > >>> >> >>> >> >> >> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote: >>> >> >>> >> >> >> >Hi Rob, >>> >> >>> >> >> >> >Thank you for your email. I've identified the issue. >>> >> >>> >> >> >> >When attempting to create a user using the 'ipa user-add' >>> >> >>> command >>> >> >>> >> and >>> >> >>> >> >> >> >defining the UID and GID according to my specifications, >>> the >>> >> UID >>> >> >>> >> falls >>> >> >>> >> >> >> >within the 4-digit range, for instance, 4141. The >>> >> >>> >> >> >> >IPA IDs range during installation was set to 770000. >>> Users >>> >> >>> created >>> >> >>> >> >> within >>> >> >>> >> >> >> >this range are accepted with their passwords. However, >>> users >>> >> >>> created >>> >> >>> >> >> with >>> >> >>> >> >> >> >UIDs like 4141 or 4142 encounter issues. >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >Looks like attributes, were not creating >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >objectclass: top, person, organizationalperson, >>> >> inetorgperson, >>> >> >>> >> >> inetuser, >>> >> >>> >> >> >> >posixaccount, krbprincipalaux, krbticketpolicyaux, >>> ipaobject, >>> >> >>> >> >> ipasshuser, >>> >> >>> >> >> >> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >If i mention uid and gid using ipa user-add command >>> >> >>> >> >> >> >ipantuserattrs is not getting create. >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >I tried to modify default range but it dint happened. >>> >> >>> >> >> >> >>> >> >>> >> >> >> See my answers in a parallel thread 'kinit fails on >>> freeipa >>> >> >>> master: >>> >> >>> >> File >>> >> >>> >> >> >> or directory not found'. >>> >> >>> >> >> >> >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden < >>> >> >>> rcritten(a)redhat.com >>> >> >>> >> > >>> >> >>> >> >> >> wrote: >>> >> >>> >> >> >> > >>> >> >>> >> >> >> >> Pradeep KNS wrote: >>> >> >>> >> >> >> >> > Hi, >>> >> >>> >> >> >> >> > I have installed an ipa with internal dns.After >>> >> installing >>> >> >>> >> updated >>> >> >>> >> >> >> >> > entries on dns as well. >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > My main criteria is to communicate with ipa clients >>> with >>> >> ssh >>> >> >>> >> >> keybased >>> >> >>> >> >> >> >> > authentication which is working fine. >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > Today i tot of i want to test with password based >>> >> >>> authentication >>> >> >>> >> >> which >>> >> >>> >> >> >> >> > is not happening.I dont know where i am missing >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# ipa >>> >> --version >>> >> >>> >> >> >> >> > VERSION: 4.10.1, API_VERSION: 2.251 >>> >> >>> >> >> >> >> > [root(a)example.com <mailto:root@example.com>]# >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > ********************** PREVIOUS MESSAGE WAS >>> TRIGGERED BY >>> >> THE >>> >> >>> >> >> FOLLOWING >>> >> >>> >> >> >> >> > BACKTRACE: >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >>> >> >>> [tgt_req_child] >>> >> >>> >> >> >> >> > (0x1000): [RID#15] Password was expired >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> The user's password is expired. >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> IPA intends that only the end-user knows their >>> password. So >>> >> >>> if it >>> >> >>> >> is >>> >> >>> >> >> set >>> >> >>> >> >> >> >> or reset by an administrator the user will need to >>> change >>> >> it. >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> Is the user not prompted to reset it? >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> rob >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >>> >> >>> >> >> [sss_krb5_responder] >>> >> >>> >> >> >> >> > (0x4000): [RID#15] Got question [password]. >>> >> >>> >> >> >> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] >>> >> >>> >> [map_krb5_error] >>> >> >>> >> >> >> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error >>> (see >>> >> >>> >> e-text)] >>> >> >>> >> >> >> >> > ********************** BACKTRACE DUMP ENDS HERE >>> >> >>> >> >> >> >> > ********************************* >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > ssh log >>> >> >>> >> >> >> >> > >>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < >>> >> http://test-example.com> >>> >> >>> >> >> >> sshd[11586]: >>> >> >>> >> >> >> >> > pam_sss(sshd:auth): authentication failure; logname= >>> >> uid=0 >>> >> >>> >> euid=0 >>> >> >>> >> >> >> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh >>> >> >>> >> >> >> >> > Nov 23 19:33:16 test-example.com < >>> >> http://test-example.com> >>> >> >>> >> >> >> sshd[11586]: >>> >> >>> >> >> >> >> > pam_sss(sshd:auth): received for user harsh: 4 >>> (System >>> >> >>> error) >>> >> >>> >> >> >> >> > Nov 23 19:33:18test-example.com < >>> >> http://18test-example.com> >>> >> >>> >> >> >> sshd[11584]: >>> >> >>> >> >> >> >> > error: PAM: Authentication failure for harsh from >>> >> 10.10.1.1 >>> >> >>> >> >> >> >> > Nov 23 19:33:20 test-example.com < >>> >> http://test-example.com> >>> >> >>> >> >> >> sshd[11584]: >>> >> >>> >> >> >> >> > Connection closed by authenticating user harsh >>> 10.10.1.1 >>> >> >>> port >>> >> >>> >> 47724 >>> >> >>> >> >> >> >> > [preauth] >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >> >>> >> >>> >> >> >> >>> >> >>> >> >> >> >>> >> >>> >> >> >> >>> >> >>> >> >> >> >>> >> >>> >> >> >> -- >>> >> >>> >> >> >> / Alexander Bokovoy >>> >> >>> >> >> >> Sr. Principal Software Engineer >>> >> >>> >> >> >> Security / Identity Management Engineering >>> >> >>> >> >> >> Red Hat Limited, Finland >>> >> >>> >> >> >> >>> >> >>> >> >> >> >>> >> >>> >> >> >>> >> >>> >> >> >>> >> >>> >> >> >>> >> >>> >> >> >>> >> >>> >> >> -- >>> >> >>> >> >> / Alexander Bokovoy >>> >> >>> >> >> Sr. Principal Software Engineer >>> >> >>> >> >> Security / Identity Management Engineering >>> >> >>> >> >> Red Hat Limited, Finland >>> >> >>> >> >> >>> >> >>> >> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> -- >>> >> >>> >> / Alexander Bokovoy >>> >> >>> >> Sr. Principal Software Engineer >>> >> >>> >> Security / Identity Management Engineering >>> >> >>> >> Red Hat Limited, Finland >>> >> >>> >> >>> >> >>> >> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> -- >>> >> >>> / Alexander Bokovoy >>> >> >>> Sr. Principal Software Engineer >>> >> >>> Security / Identity Management Engineering >>> >> >>> Red Hat Limited, Finland >>> >> >>> >>> >> >>> >>> >> >>> >> >>> >> >>> >> >>> >> -- >>> >> / Alexander Bokovoy >>> >> Sr. Principal Software Engineer >>> >> Security / Identity Management Engineering >>> >> Red Hat Limited, Finland >>> >> >>> >> >>> >>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> Sr. Principal Software Engineer >>> Security / Identity Management Engineering >>> Red Hat Limited, Finland >>> >>> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland