On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:
On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys
My IPA does not inject ipantsecurityidentifier (maybe more?) when '--uid' is
used.
Why is that and how to have or make IPA do 'ipantsecurityidentifier' - would
anybody know?
Hi,
the ipantsecurityidentifier is typically added automatically by a
plugin. But it needs an idrange which covers the UIDs and GIDs you want
to add manually. You can add one with
ipa idrange-add --type=ipa-local ......
There are some mandatory options which will let you specify the start
and size of the ranges for the POSIX IDs and the RID part of the SIDs.
So, I failed to 'idrange-add' (I did not see '--type' is an
argument available) and I removed(successful clean uinstall)
whole deployment and installed anew with '--idstart' to
match range of "old" IPA and now I cannot "ssh"
...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth):
received for user b209: 7 (Authentication failure)
Samba clients can authenticate, IPA's UI also but not 'ssh',
regardless if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst
thanks, L
HTH
bye,
Sumit
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
