Hi folks,
RHEL 7.3, sssd 1.14.0:
If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
(without telling why) and users cannot login. *Extremely* painful.
Do you think ipa-client-install could add
selinux_provider = none
to the generated sssd.conf file, if selinux is
I have noticed this behavior when setting up an external AD group:
1. create trust
2. create external group
3. add Group@Domain to external group - FAILS: "trusted domain object not
found"
4. retry: add Group@Domain to external group - SUCCESS
Two questions:
1.
Robert L. Harris wrote:
>
> Hmmm
>
> {0}:/var/log>ls
> anaconda btmp dmesg grubby maillog pppsecure
> tallylog wtmp
> audit cron dmesg.old grubby_prune_debug messages rhsm spooler
> tuned yum.log
> boot.log cups firewalld lastlog
Hmmm
{0}:/var/log>ls
anaconda btmp dmesg grubby maillog pppsecure
tallylog wtmp
audit cron dmesg.old grubby_prune_debug messages rhsm spooler
tuned yum.log
boot.log cups firewalld lastlog ntpstats samba sssd
On pe, 12 touko 2017, Tym Rehm wrote:
So I'm testing a new freeipa 4.x setup that has a one-way trust to Active
Directory. I have been able to define user groups to access the AD groups
and configure the groups to work with HBAC rules. So my AD users are able
to ssh into the client machines if
On 05/12/2017 04:09 PM, Tym Rehm wrote:
So I'm testing a new freeipa 4.x setup that has a one-way trust to
Active Directory. I have been able to define user groups to access the
AD groups and configure the groups to work with HBAC rules. So my AD
users are able to ssh into the client machines if
I apologize, nsupdate is working as intended, I was attempting to update a
client from the host ipa. I've a separate issue from clients when running
testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab
Thanks again!
On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill
wrote:
Krb5kdc issues tickets on correct passwords, and errors out on incorrect ones.
syslog didn’t reveal any clear hints except “failed password for ” from
SSH
Is there any way for AIX native auth to be more verbose?
From: Iulian Roman [mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 16:35
On Fri, May 12, 2017 at 4:03 PM, wrote:
> Yes, kinit works with IPA users. GSSAPI authentication is not keeping it
> simple, since we want passwords to work before trying TGS based logins over
> GSSAPI.
>
> The keytab works sinds lsuser is still able to get user data.
>
So I'm testing a new freeipa 4.x setup that has a one-way trust to Active
Directory. I have been able to define user groups to access the AD groups
and configure the groups to work with HBAC rules. So my AD users are able
to ssh into the client machines if HBAC allows them to.
The issue I'm
Yes, kinit works with IPA users. GSSAPI authentication is not keeping it
simple, since we want passwords to work before trying TGS based logins over
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation
specifies that enabling krb5 in ldap.cfg makes the bind user
On Fri, May 12, 2017 at 3:31 PM, wrote:
> The shell is shown correctly as ksh in lsuser, so that doesnt appear to be
> an issue for the ID view.
>
My advice would be to start simple ,prove that your authentication works
and you can develop a more elaborated setup
The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an
issue for the ID view.
Verzonden vanaf mijn Samsung-apparaat
Oorspronkelijk bericht
Van: Luiz Fernando Vianna da Silva
Datum: 12-05-17 15:03 (GMT+01:00)
Aan: "Hummelink,
"Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh
is the same as /bin/ksh and in linux it is a symlink to /bin/bash ."
Wow, never thought of that, very elegant solution!
Atenciosamente/Best Regards
__
Luiz Fernando Vianna da
On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> It worked with pam_mkhomedir. So I don't see anything left to do at the
> moment
>
ah, I thought ...
>
> On 12-May-17 12:52 PM, Sumit Bose wrote:
> > On Fri, May 12, 2017 at 12:11:28PM +0200,
On Fri, May 12, 2017 at 2:32 PM, wrote:
> Hi All,
>
>
>
> We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound
> module.
>
> All the moving parts seem to be working on their own, however logging in
> doesn’t work with SSH on AIX reporting Failed
Hello Wouter.
It may seem silly, but try installing bash on one AIX server and test
authenticating against that one.
Its a single rpm with no dependencies. For me it did the trick and I ended up
doing that on all my AIX servers.
Let me know how it goes or if you have any issues.
Best Regards
Mistakenly failed to post to freeipa-users.
-- Forwarded message --
From: Jason Sherrill
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
To: Martin Bašti
Thank you for the assistance, Martin. The
It worked with pam_mkhomedir. So I don't see anything left to do at the
moment
On 12-May-17 12:52 PM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> The directory didn't exist
> Then I guess that the process doesn't has the needed permissions
Hi All,
We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module.
All the moving parts seem to be working on their own, however logging in
doesn't work with SSH on AIX reporting Failed password for user
We're using ID views to overwrite the user shell and home dirs.
On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> The directory didn't exist
Then I guess that the process doesn't has the needed permissions during
the session phase anymore. Please try to replace pam_mkhomedir by
pam_oddjob_mkhomedir. This will try to create the
The directory didn't exist
On 12-May-17 11:48 AM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> Thanks!
>>
>> I followed this manual:
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
>>
>> added the line
>>
>>
That's weird, it should be super fast, anything in /var/log/httpd/error_log?
On 11.05.2017 22:23, Robert L. Harris wrote:
Odd, must have clicked reply instead of reply-all.
Anyway, I did the revert and re-install. Actual install went through
fine then the "ipa-server-install" ran until
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote:
> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> > On pe, 12 touko 2017, Thomas Lau wrote:
> > > Folks,
> > >
> > > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > > on FreeIPA, but
On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> On pe, 12 touko 2017, Thomas Lau wrote:
> > Folks,
> >
> > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
> > I could
On pe, 12 touko 2017, Thomas Lau wrote:
Folks,
let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled.
On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote:
> I have attached the syslog with gdm debug mode enabled
>
>
> On 11-May-17 1:54 PM, Sumit Bose wrote:
> > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com
> > wrote:
> >> Hello,
> >>
> >> I have
Folks,
let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Did I miss any setting or it's normal?
--
28 matches
Mail list logo