Please don't drop mailing list.
On Аўт, 28 ліс 2023, Pradeep KNS wrote:
Hey Alexander,
Thanks For the Reply.
But in my case i have fixed it by recreating the user on Ipa web UI and
observing ipantuserattrs created password logins are working fine.
But do I face any issues if I try to modify the base id range manually? as
per redhat docs which is not recommended to modify.
If you have re-created your user and that new one works, it means
underlying infrastructure works properly. Older user entries need to be
fixed. Preferrably through a new ID range, if those entries use IDs
which are outside of the main ID range.
Also on ipa 4.11 they support dedicated ssh key based
authentication.Ofcourse now also its working.
My setup is that I have internal dns which is handled by a puppet and
slowly will move it to a dedicated internal dns server so that's why i
opted for ipa installation without dns.
On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <aboko...@redhat.com>
wrote:
On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
>Hi Rob,
>Thank you for your email. I've identified the issue.
>When attempting to create a user using the 'ipa user-add' command and
>defining the UID and GID according to my specifications, the UID falls
>within the 4-digit range, for instance, 4141. The
>IPA IDs range during installation was set to 770000. Users created within
>this range are accepted with their passwords. However, users created with
>UIDs like 4141 or 4142 encounter issues.
>
>Looks like attributes, were not creating
>
>objectclass: top, person, organizationalperson, inetorgperson, inetuser,
>posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
>ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
>
>If i mention uid and gid using ipa user-add command
>ipantuserattrs is not getting create.
>
>I tried to modify default range but it dint happened.
See my answers in a parallel thread 'kinit fails on freeipa master: File
or directory not found'.
>
>
>
>On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <rcrit...@redhat.com>
wrote:
>
>> Pradeep KNS wrote:
>> > Hi,
>> > I have installed an ipa with internal dns.After installing updated
>> > entries on dns as well.
>> >
>> > My main criteria is to communicate with ipa clients with ssh keybased
>> > authentication which is working fine.
>> >
>> > Today i tot of i want to test with password based authentication which
>> > is not happening.I dont know where i am missing
>> >
>> >
>> > [r...@example.com <mailto:r...@example.com>]# ipa --version
>> > VERSION: 4.10.1, API_VERSION: 2.251
>> > [r...@example.com <mailto:r...@example.com>]#
>> >
>> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
>> > BACKTRACE:
>> > * (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child]
>> > (0x1000): [RID#15] Password was expired
>>
>> The user's password is expired.
>>
>> IPA intends that only the end-user knows their password. So if it is set
>> or reset by an administrator the user will need to change it.
>>
>> Is the user not prompted to reset it?
>>
>> rob
>>
>> > * (2023-11-23 19:33:16): [krb5_child[11588]] [sss_krb5_responder]
>> > (0x4000): [RID#15] Got question [password].
>> > * (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error]
>> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see e-text)]
>> > ********************** BACKTRACE DUMP ENDS HERE
>> > *********************************
>> >
>> > ssh log
>> >
>> > Nov 23 19:33:16 test-example.com <http://test-example.com>
sshd[11586]:
>> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
>> > Nov 23 19:33:16 test-example.com <http://test-example.com>
sshd[11586]:
>> > pam_sss(sshd:auth): received for user harsh: 4 (System error)
>> > Nov 23 19:33:18test-example.com <http://18test-example.com>
sshd[11584]:
>> > error: PAM: Authentication failure for harsh from 10.10.1.1
>> > Nov 23 19:33:20 test-example.com <http://test-example.com>
sshd[11584]:
>> > Connection closed by authenticating user harsh 10.10.1.1 port 47724
>> > [preauth]
>>
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
