[Freeipa-users] Re: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8

Tue, 23 Jan 2024 23:16:19 -0800 

On Аўт, 23 сту 2024, Sören R. via FreeIPA-users wrote:

Thanks Alex, your comment helped me a lot and so I could fix the issue.
I had exactly the same issue.

Problem is, that none of my user hat the attribute
"ipantsecurityidentifier".

I found the instruction here:
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts#con_privilege-attribute-certificate-pac-use-in-idm_assembly_strengthening-kerberos-security-with-pac-information

Procedure
Enable SID usage and trigger the SIDgen task to generate SIDs for
existing users and groups. This task might be resource-intensive:

# kinit admin
# ipa config-mod --enable-sid --add-sids

Verification
Verify that the IdM admin user account entry has an ipantsecurityidentifier 
attribute with a SID that ends with -500, the SID reserved for the domain 
administrator:

[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier
 ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500

After this procedure, my admin user hat the attribute
"ipantsecurityidentifier" and I could successful login to the WebUI.
The issue I encountered was, that not all of my users had been upgraded
with the new attribute. Therefore I had to delete and recreate them.


Good that it worked for you. You didn't need to delete those
users/groups, just make sure their UID and GID numbers are within ID
ranges defined by IPA. You can add a new ID range to help sidgen plugin
to handle those IDs.

See https://access.redhat.com/articles/7027037 for more details. It
needs a RHEL subscription but you can get a free one from
developers.redhat.com.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to