On Чцв, 26 вер 2024, Kris C via FreeIPA-users wrote:
Username and domains have been changed to protect the guilty :-) running
FreeIPA 4.12.1 :
ipa user-add test4 --uid 4321 --random --first test4 --last test4
------------------
Added user "test4"
------------------
User login: test4
First name: test4
Last name: test4
Full name: test4 test4
Display name: test4 test4
Initials: tt
Home directory: /home/test4
GECOS: test4 test4
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20240926123724Z
Email address: [email protected]
Random password: 6Qz:Ki,(<O[Gm|M-/g)%n0
UID: 4321
GID: 4321
^^^^^^^^ I think this is your problem.
If I'd try to add the same user (with uid 4321), dirsrv error log will
have this:
[26/Sep/2024:13:12:30.451206787 +0000] - ERR - find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 533]: Cannot convert Posix ID [4321] into an unused
SID on entry [uid=test4,cn=users,cn=accounts,dc=ipa1,dc=test].
[26/Sep/2024:13:12:30.457442932 +0000] - ERR - ipa_sidgen_add_post_op - [file
ipa_sidgen.c, line 149]: Cannot add SID to new entry.
This is because UID 4321 is out of ID ranges I have.
Then Kerberos authentication will fail because KDC will not be able to
create PAC structure for this user (information about user) as PAC
requires SIDs.
You'll see this in krb5kdc.log when doing 'kinit' or 'kpasswd' for this
user:
Sep 26 13:13:07 master1.ipa1.test krb5kdc[106210](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.197.85:
NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional
pre-authentication required
Sep 26 13:13:07 master1.ipa1.test krb5kdc[106210](info): closing down fd 11
Sep 26 13:13:08 master1.ipa1.test krb5kdc[106208](info): AS_REQ :
handle_authdata (2)
Sep 26 13:13:08 master1.ipa1.test krb5kdc[106208](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.197.85:
HANDLE_AUTHDATA: [email protected] for kadmin/[email protected], No such file or
directory
Sep 26 13:13:08 master1.ipa1.test krb5kdc[106208](info): closing down fd 11
If you can avoid specifying pre-defined UID/GID, the values from
existing ID range will be automatically used and everything should work
fine.
If you need to force a particular UID/GID value, then you should have
local ID range that covers these UID/GID values. And this ID range should have
RID parameters that allow to generate SIDs.
See https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html for
more details. This article https://access.redhat.com/articles/7027037
goes a bit more in details what SID/RID means and how they connected to
ID ranges in IPA.
Password: True
Member of groups: ipausers
Kerberos keys available: True
no error output from /var/log/httpd/errror_log on freeipa server
Reset user test4 password using FreeIPA web UI, I changed the password to
test1234!@#$ :
[Thu Sep 26 05:40:36.643054 2024] [:warn] [pid 2208:tid 2249] [client
192.168.1.95:11771] failed to set perms (3140) on file
(/run/ipa/ccaches/[email protected])!, referer:
https://idm1.domain.org/ipa/ui/
[Thu Sep 26 05:40:36.984071 2024] [wsgi:error] [pid 1291:tid 1684] [remote
192.168.1.95:11771] ipa: INFO: [jsonserver_session] [email protected]:
passwd('test4', '********', None, version='2.254'): SUCCESS
[Thu Sep 26 05:40:36.994647 2024] [:warn] [pid 2208:tid 2260] [client
192.168.1.95:11771] failed to set perms (3140) on file
(/run/ipa/ccaches/[email protected])!, referer:
https://idm1.domain.org/ipa/ui/
[Thu Sep 26 05:40:37.277897 2024] [wsgi:error] [pid 1290:tid 1693] [remote
192.168.1.95:11771] ipa: INFO: [email protected]: batch: user_show('test4',
rights=True, all=True): SUCCESS
[Thu Sep 26 05:40:37.290808 2024] [wsgi:error] [pid 1290:tid 1693] [remote
192.168.1.95:11771] ipa: INFO: [email protected]: batch:
pwpolicy_show(None, rights=True, user='test4', all=True): SUCCESS
[Thu Sep 26 05:40:37.314097 2024] [wsgi:error] [pid 1290:tid 1693] [remote
192.168.1.95:11771] ipa: INFO: [email protected]: batch:
krbtpolicy_show('test4', rights=True, all=True): SUCCESS
[Thu Sep 26 05:40:37.340971 2024] [wsgi:error] [pid 1290:tid 1693] [remote
192.168.1.95:11771] ipa: INFO: [email protected]: batch: cert_find(None,
sizelimit=0, all=True, user=('test4',)): SUCCESS
[Thu Sep 26 05:40:37.341500 2024] [wsgi:error] [pid 1290:tid 1693] [remote
192.168.1.95:11771] ipa: INFO: [jsonserver_session] [email protected]:
batch(user_show('test4', rights=True, all=True), pwpolicy_show(None,
rights=True, user='test4', all=True), krbtpolicy_show('test4', rights=True,
all=True), cert_find(None, sizelimit=0, all=True, user=('test4',))): SUCCESS
[Thu Sep 26 05:40:37.352598 2024] [:warn] [pid 2208:tid 2244] [client
192.168.1.95:11771] failed to set perms (3140) on file
(/run/ipa/ccaches/[email protected])!, referer:
https://idm1.domain.org/ipa/ui/
[Thu Sep 26 05:40:37.358872 2024] [:warn] [pid 1298:tid 1469] [client
192.168.1.95:11774] failed to set perms (3140) on file
(/run/ipa/ccaches/[email protected])!, referer:
https://idm1.domain.org/ipa/ui/
[Thu Sep 26 05:40:37.359800 2024] [:warn] [pid 1298:tid 1470] [client
192.168.1.95:11775] failed to set perms (3140) on file
(/run/ipa/ccaches/[email protected])!, referer:
https://idm1.domain.org/ipa/ui/
[Thu Sep 26 05:40:37.377870 2024] [wsgi:error] [pid 1294:tid 1687] [remote
192.168.1.95:11771] ipa: INFO: [jsonserver_session] [email protected]:
radiusproxy_find(None, version='2.254'): SUCCESS
[Thu Sep 26 05:40:37.381330 2024] [wsgi:error] [pid 1293:tid 1696] [remote
192.168.1.95:11774] ipa: INFO: [jsonserver_session] [email protected]:
idp_find(None, version='2.254'): SUCCESS
[Thu Sep 26 05:40:37.385839 2024] [wsgi:error] [pid 1291:tid 1684] [remote
192.168.1.95:11775] ipa: INFO: [jsonserver_session] [email protected]:
user_find(None, version='2.254', no_members=True): SUCCESS
Log into WebUI with user test4 using with newly changed (test1234!@#$) password:
[Thu Sep 26 05:44:26.415791 2024] [wsgi:error] [pid 1294:tid 1687] [remote
192.168.1.95:11787] ipa: INFO: 401 Unauthorized: kinit: Generic error (see
e-text) while getting initial credentials
[Thu Sep 26 05:44:26.415832 2024] [wsgi:error] [pid 1294:tid 1687] [remote
192.168.1.95:11787]
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
