Yep, most of the users do not have that SID. Looks like just users that
are in the ID range because they don't have an EDIPI or users that were
created recently.
Ran the --enable-sid and --add-sids but nothing changed. All the users
that were missing the SID before still are.
On 1/31/24 10:06, Giulio Casella via FreeIPA-users wrote:
Uhm.. I had a similar problem recently (but not identical), and it
smells as a missing SID problem.
You can try:
ipa user-show admin --all | grep -i ipantsecurityidentifier
You should see the SID for user admin.
Now try the same with your account:
ipa user-show <yourusername> --all | grep -i ipantsecurityidentifier
If nothing appears your user (and probably many other) is missing SID.
If this is the case you can try:
ipa config-mod --enable-sid --add-sids
HTH
Ciao,
gc
On 31/01/2024 16:18, Steve Berg via FreeIPA-users wrote:
For a few weeks now I've been seeing a problem getting authenticated
to my ipa domain. I can get command line and web UI stuff done by
using the admin user but if I get a ticket using my account which is
in the admins group I get the following on the web UI:
Your session has expired. Please log in again.
On the command line any ipa commands I've tried so far give me:
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
Getting a ticket as admin on command line lets me run ipa commands
with no problem. I think I've got all pertinent certificates loaded
up properly. Gonna try a reboot on one of the servers shortly. I
have 4 servers on r different vlans, replication between seems to be
working properly.
I think the problem is most of the user ID's we use on this domain
are not in the ID range configured. We let the install choose a
default range when we first set this up. Most of our users have a
UID based on their EDIPI # which is a 32-bit ID assigned when a user
first gets a DoD CAC. They're usually 10 digits long.
For instance the lowest EDIPI based UID we have currently is
something like 1004201873 and the largest is 1658224121. (I made
those but they're close to the actual UIDs.)
ipa idrange-find show me this, (did some masking of the info):
Range name: domain_id_range
First Posix ID of the range: 824xxx000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range name: domain_subid_range
First Posix ID of the range: 214xxx3648
Number of IDs in the range: 214xxx2576
First RID of the corresponding RID range: 214xxx3648
Domain SID of the trusted domain: S-1-5-21-xxxxxx-83xx66-82xxx729
Range type: Active Directory domain range
Should I adjust the range that's already there or add a third that
encompasses the likely range of numbers I'm gonna see in the future?
I started to add a range with appropriate values but when it wanted
the primary and secondary RID base values I was not sure how to
figure that out or estimate.
--
//- Fixer of that which is broke -//
//- Home [email protected] -//
//- Sinners can repent, but stupid is forever. -//
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
//- Fixer of that which is broke -//
//- Home = [email protected] -//
//- Sinners can repent, but stupid is forever. -//
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
