At least for some users.... One user failing:
(Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [unpack_buffer] (0x0100): cmd [249] uid [1349930179] gid [1349930179] validate [true] enterprise principal [false] offline [true] UPN [h...@net.dr.dk] (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Trying to become user [134993017 9][1349930179]. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Trying to become user [134993017 9][1349930179]. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Already user [1349930179]. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_ RENEWABLE_LIFETIME] from environment. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_ LIFETIME] from environment. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [sss_krb5_prompter] (0x0020): Cannot handle password pro mpts. (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [k5c_send_data] (0x0200): Received error code 0 Me logging in works.... (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [unpack_buffer] (0x0100): cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [drext...@net.dr.dk] (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1349938498] old_ccname: [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab] (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [switch_creds] (0x0200): Switch user to [1349938498][1349938498]. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/rhel02udv.linux.dr...@linux.dr.dk] (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [become_user] (0x0200): Trying to become user [1349938498][1349938498]. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Aug 9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] What does "Cannot handle password prompts" mean? the only thing I can find is some sssd krb5 commits looking to be related to password change? ----- On Aug 9, 2016, at 2:29 PM, Troels Hansen t...@casalogic.dk wrote: > ----- On Aug 9, 2016, at 2:09 PM, Jakub Hrozek jhro...@redhat.com wrote: > > >>> >>> So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) >>> but >>> only on the server, but not on a pure IPA client, but will work in 1.14.0 ? >> >> I would not recommend this setting on the server, even with 1.14, >> because some components of the stack rely on the name of trusted users >> being qualified, namely the compat plugin IIRC parses the names. >> >> But on clients, this should work. >> >>> >>> I guess this will be included in RedHat 7.3? >> >> Yes. > > I guess I have hit some sort of configuration parameter combination that made > it > not work...... I have removed the full_name_format on the server, but kept > "ldap_user_principal = nosuchattr" and > "subdomain_inherit = ldap_user_principal" on both server untill 7.3 arrives. > > This seems to work. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
