Hello Alexander,
Please provide this user entry's content and the output of 'ipa
idrange-find'.
If you cannot get 'kinit' working for admin, then try the following
command as root on the IPA server:
# ipa -e in_server=True user-show admin --all --raw |grep -E -v -i
'(password|principalkey|nthash)'
# ipa -e in_server=True idrange-find
Thanks a lot for peeking into this issue. I provided the details you
requested below. 'kinit' works for the admin account but fails with
every other account.
$ ipa user-show --all
dn: uid=username,cn=users,cn=accounts,dc=intern,dc=example,dc=de
User login: username
First name: -
Last name: -
Full name: -
Display name: -
Home directory: /home/leeuwestein
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20241123235532Z
Email address: [email protected]
UID: 1731
GID: 100
Car License: -
SSH public key: ssh-rsa AAAAB3NzaC1yc
SSH public key fingerprint: SHA256:+tU
User authentication types: password, radius, pkinit, hardened, idp
Account disabled: False
Preserved user: False
Password: True
Member of groups: humans, ipausers, ....
Indirect Member of group: ....
Indirect Member of Sudo rule: ...
Indirect Member of HBAC rule: admins_login
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-385029999-2513500810-4281905551-5000731
ipauniqueid: af068fc8-3dd4-11ed-9208-000c295d8b72
krbextradata:
AAL0N2FlbGVldXdlc3RlaW5ASU5URVJOLkFTVEEuVU5JLUxVRUJFQ0suREUA
krblastadminunlock: 20231124235422Z
krblastpwdchange: 20231124235532Z
krbticketflags: 128
objectclass: krbticketpolicyaux, inetuser, sambasamaccount,
posixaccount, inetorgperson, person, organizationalperson, ipaobject,
top, ipasshuser, ipasshgroupofpubkeys, shadowaccount,
krbprincipalaux, ipauserauthtypeclass, ipantuserattrs
registeredaddress: [email protected]
sambapwdlastset: 1700870132
sambasid: S-1-5-21-3236374480-3602790372-206088821-3462
shadowlastchange: 19685
shadowmax: 99999
shadowmin: 0
shadowwarning: 7
$ ipa idrange-find
ipa idrange-find
----------------
3 ranges matched
----------------
Range name: INTERN.ASTA.UNI-LUEBECK.DE_id2_range
First Posix ID of the range: 1000
Number of IDs in the range: 100000
First RID of the corresponding RID range: 5000000
First RID of the secondary RID range: 600000
Range type: local domain range
Range name: INTERN.ASTA.UNI-LUEBECK.DE_id_range
First Posix ID of the range: 690800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: INTERN.ASTA.UNI-LUEBECK.DE_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-1437684047
Range type: Active Directory domain range
----------------------------
Number of entries returned 3
----------------------------
$ ipa -e in_server=True config-show --raw |grep ipakrbauthzdata
ipakrbauthzdata: MS-PAC
ipakrbauthzdata: nfs:NONE
It filters out any field with those three words in the name so that we
don't see your user's credentials but still get the rest.
Most of what I am going to suggest based on that output was already
discussed on this list in past couple months in the thread 'ipa CLI
doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC' so
you can use
https://lists.fedorahosted.org/archives/list/[email protected]/
to browse archives.
Thanks for the tip on the topic already discussed on this list. Please,
believe me, I have already spent ages researching this issue. I don't
know what to look for anymore. Could you give me a hint on which
direction I should look?
Have a nice day!
David Leeuwestein
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
