[Freeipa-users] Re: ipantsecurityidentifier missing if users created with --uid

Fri, 12 Mar 2021 12:16:16 -0800 


On 12/03/2021 19:53, Rob Crittenden wrote:

lejeczek via FreeIPA-users wrote:


On 12/03/2021 16:36, Sumit Bose via FreeIPA-users wrote:

On Fri, Mar 12, 2021 at 04:00:57PM +0000, lejeczek via FreeIPA-users
wrote:

Hi guys

My IPA does not inject ipantsecurityidentifier (maybe more?) when
'--uid' is
used.

Why is that and how to have or make IPA do 'ipantsecurityidentifier'
- would
anybody know?

Hi,

the ipantsecurityidentifier is typically added automatically by a
plugin. But it needs an idrange which covers the UIDs and GIDs you want
to add manually. You can add one with

      ipa idrange-add --type=ipa-local ......

There are some mandatory options which will let you specify the start
and size of the ranges for the POSIX IDs and the RID part of the SIDs.

So, I failed to 'idrange-add' (I did not see '--type' is an argument
available) and I removed(successful clean uinstall) whole deployment and
installed anew with '--idstart' to match range of "old" IPA and now I
cannot "ssh"

...
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.7 user=b209
Mar 12 19:19:51 drunk sshd[38466]: pam_sss(sshd:auth): received for user
b209: 7 (Authentication failure)

Samba clients can authenticate, IPA's UI also but not 'ssh', regardless
if '--uid' is used for 'user-add' or not.
Hmm, it is puzzling at best and total mystery at worst

Details are important.

Can't ssh from what to what using what authentication type? Were all
clients re-enrolled?

Can you kinit as b209?

rob


Apologies.
Just two masters between themselves, yes both un/re-installed.

Yes, I can get a ticket for the user (in root's interactive 
shell) and can 'ssh' with that ticket, between the masters.

'ssh' with password does seem to be the problem.

regards, L
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to