info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
> auth indicators not present
On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> Hello all.
>
> tell me please. Is it possible to use password and otp auth at the one
> moment?
>
> For example I have DEV/STAGE servers and want to be able use password auth
> for ssh, but for PROD servers I want to use OTP auth for
On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> It worked with pam_mkhomedir. So I don't see anything left to do at the
> moment
>
ah, I thought ...
>
> On 12-May-17 12:52 PM, Sumit Bose wrote:
> > On Fri, May 12, 2017 at 12:11:2
to create the directory via oddjobd
which runs with higher privileges.
HTH
bye,
Sumit
>
>
> On 12-May-17 11:48 AM, Sumit Bose wrote:
> > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com
> > wrote:
> >> Thanks!
> >>
> >> I follo
On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote:
> Thanks!
>
> I followed this manual:
> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
>
> added the line
>
> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> to the file
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote:
> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> > On pe, 12 touko 2017, Thomas Lau wrote:
> > > Folks,
> > >
> > > let's say I am user thomas, and user "temp1" alr
On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> On pe, 12 touko 2017, Thomas Lau wrote:
> > Folks,
> >
> > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
> > I could stil
On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote:
> I have attached the syslog with gdm debug mode enabled
>
>
> On 11-May-17 1:54 PM, Sumit Bose wrote:
> > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com
> > wrote:
>
On Thu, May 11, 2017 at 01:07:25PM +, Berkouwer, Walter wrote:
> Hello
>
> I am trying to setup an IPA configuration at an remote site. I got the
> ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I
> can't get it working with a 7.3 client ( ipa-client version 4.4.0
ere any other
hints in the system or gdm logs with gdm might have failed?
bye,
Sumit
>
> Thanks in advance!
>
> On 10-May-17 9:42 PM, Sumit Bose wrote:
> > On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com
> > wrote:
> >> Hello everyone,
>
On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> Hello everyone,
>
> I set up my freeIPA instance and it works very well for my client
> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
> freeIPA managed user account.
>
> My own HBAC rule also wor
>
> >
> > adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>
> >
> > Note that this is the domain controller and I'm logged in using the
> > experimental Win32-OpenSSH server. Not sure if that makes a difference. I
> > am not currently in the office, so unfortu
On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> I think I just realised that my expectation may be wrong: GSSAPI login with
> a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> correct to also expect passwordless login with an AD user to a FreeIPA host?
The
On Fri, Apr 28, 2017 at 02:54:44PM +, Sullivan, Daniel [CRI] wrote:
> HI,
>
> I haven’t posted in a while, I hope everybody is doing well. I have a
> problem that I am having a difficult time diagnosing. To start, I want to
> say that we have a pretty large IPA environment. It generally w
On Tue, Apr 25, 2017 at 12:38:11PM -0500, Michael Rainey (Contractor) wrote:
> Hello,
>
> While using Fedora 25 we noticed smart card login is broken with the latest
> update to SSSD. A month or so ago a patch was created to fix the same
> issue. Here are some of the details:
>
> Before Update:
On Mon, Apr 24, 2017 at 02:24:34PM +0200, Harald Dunkel wrote:
> Hi folks,
>
> some colleagues have to enter their password 3 times (or even
> more) to authenticate. krb5_child.log shows
>
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116 [switch_creds]
> (0x0200): Switch user to [657][100
11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV Email Signature
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000):
> More than one certificate found
On Mon, Apr 10, 2017 at 11:49:05AM +0200, Ronald Wimmer wrote:
> On 2017-04-07 10:28, Sumit Bose wrote:
> > [...]
> > I'm not aware of any limitation here. Have you tried to run 'ipa
> > trust-fetch-domains ad.forest.root' to update the list?
> >
>
On Thu, Apr 06, 2017 at 06:36:43PM +, spammewo...@cox.net wrote:
> I have created a two way trust between my IDM server and Active Directory.
> I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM
> clients to allow Active Directory login using CAC smart cards into Gnome.
> I
On Fri, Apr 07, 2017 at 09:46:45AM +0200, Ronald Wimmer wrote:
> On 2017-04-06 20:50, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
> > > On 2017-04-06 12:16, Sumit Bose wrote:
> > > > On Thu, Apr 06, 2017 at 12:58:3
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
> On 2017-04-06 12:16, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> > [...]
> > > AD trust:
> > > mydomain.at (forest root)
> > > xyz (subdomain
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> On 2017-04-06 11:21, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
> > > Hi,
> > >
> > > when I try to login to an IPA client with my AD user it works perfec
On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
> Hi,
>
> when I try to login to an IPA client with my AD user it works perfectly when
> I already have a kerberos ticket for my user. When I do not and I try a
> password-based login it fails:
Please send the sssd_domain.log and krb5
On Mon, Mar 20, 2017 at 02:55:37PM +0300, Artem Golubev wrote:
> Good day!
>
> We use freeipa server 4.3.1, we usually grant access via ssh keys to linux
> clients.
> We currently face the following issue with access on certificate: when we
> add certificate to user's account, user is not able to
On Tue, Mar 14, 2017 at 04:29:58PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I have been working on an issue with smart card logins on a Fedora 25
> system. For a short time smart card logins have been working well, but
> suddenly the login process has suddenly stopped working.
On Wed, Feb 22, 2017 at 12:03:58PM +, wouter.hummel...@kpn.com wrote:
> Hello all,
>
> I'm trying to get IPA auth on Katello to work properly, however the infopipe
> is unable to access the right information without additional configuration.
> With these changes I got the infopipe to work, bu
On Wed, Feb 08, 2017 at 12:44:07PM +0100, Troels Hansen wrote:
> Hi,
>
> Have you tried setting ldap_user_principal to something nonexisting? For
> example:
>
> ldap_user_principal = nosuchattr
>
> and inherit this to the AD domain with:
>
> subdomain_inherit = ldap_user_principal
>
> Both i
On Fri, Feb 03, 2017 at 12:59:26PM -0800, spammewo...@cox.net wrote:
>
> Sumit Bose wrote:
> > On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote:
> > On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> > > I am running an IPA server (
On Mon, Feb 06, 2017 at 01:56:06PM +, Tommy Nikjoo wrote:
> Hi,
>
> I'm having some issues with 2FA PAM config's on Ubuntu clients.
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol. Is anyone able to give an in site into how to get
> this working c
On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote:
> On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a
> > Windows Active Directory server. I am trying to configure the IPA
On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a
> Windows Active Directory server. I am trying to configure the IPA server to
> allow the Active Directory Users to log into Gnome with a CAC smart ca
On Thu, Feb 02, 2017 at 04:57:05PM +0100, Jan Karásek wrote:
> Hi,
>
> I just looked into RHEL 6.9 beta repos and I can see there is
> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel
> 6.9 will come support for using different UPN then domain name. I am talking
> abo
On Wed, Feb 01, 2017 at 02:41:35PM -0500, Chris Dagdigian wrote:
>
> Update:
>
> Resolved. A bit of googling led me to some good RHEL pages as well as
> mailing list messages from Alex B that were concise and helpful.
>
> To summarize for others who may have this problem:
>
> 1. Don't make cha
On Wed, Feb 01, 2017 at 12:29:37PM -0500, Chris Dagdigian wrote:
> Hi folks,
>
> I've posted here and gotten amazing help on our odd setup with IPA having a
> 1-way trust to a massive remote AD forest with 90+ domain controllers and
> lots of child domains.
>
> I'm running into a strange issue wh
On Wed, Jan 25, 2017 at 10:58:34PM +, Sullivan, Daniel [CRI] wrote:
> Hi,
>
> My apologizes for resurrecting this thread. This issue is still ongoing, at
> this point we’ve been looking at it for over a week and now have more than
> one staff member analyzing and trying to resolve it on a f
On Fri, Jan 20, 2017 at 03:41:46PM +, Sullivan, Daniel [CRI] wrote:
> Hi,
>
> I have some more information on this issue. I’m tracing it down through the
> slapd logs and I am continuing to struggle; I was hoping that somebody could
> possibly help me provided this additional information.
On Thu, Jan 19, 2017 at 04:33:59PM -0600, Michael Rainey (Contractor) wrote:
> Hello everyone,
>
> I have come across a problem which you might find interesting. With all of
> the systems I have running, there is one system which refuses to
> authenticate any user who needs to login. I have delet
On Tue, Jan 17, 2017 at 04:12:51PM +0100, Harald Dunkel wrote:
> On 01/17/17 11:38, Sumit Bose wrote:
> > On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
> >> It seems something got corrupted in my ipa setup. I found this in the
> >> sssd log file on Wheez
On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
> It seems something got corrupted in my ipa setup. I found this in the
> sssd log file on Wheezy:
>
> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing
> source hosts for rule [allow_all]
> (Tue Jan 17 10:19:
On Wed, Jan 11, 2017 at 04:00:57PM -0500, Armaan Esfahani wrote:
> Hi, I have setup a Samba server to use FreeIPA as a password backend, however
> whenever I try to use existing users to login I get
> “NT_STATUS_LOGON_FAILURE”.
>
> Looking at the sssd_nss log on my ipa server, I get the followi
On Thu, Jan 12, 2017 at 10:59:04AM +, hirofumi.morik...@accenture.com wrote:
> Hi Free IPA team
>
> Let me further clarify the question that is asked by Niraj below.
>
> Currently, we have 1 master FreeIPA server and 1 client server. Evaluating
> your product for production deployment
> Mast
On Wed, Jan 11, 2017 at 11:01:22AM +0100, Troels Hansen wrote:
> Hi, we have just seen a weird issue, which I need some advice on.
>
> We have 2 IPA 4.4 servere in a AD trust and a number of Linux clients
> connected.
>
> A little story of what we experienced.
> We had a AD user which sometim
On Tue, Jan 10, 2017 at 09:37:33AM +, nirajkumar.si...@accenture.com wrote:
> Hi Team,
>
> We have Created PPK key for the user on master FreeIPA server which is there
> in /home/user/.ssh/authorized_keys file.
>
> But the key are not reflecting in client machine.
>
> Please suggest so tha
On Mon, Jan 09, 2017 at 11:21:00AM +0100, rajat gupta wrote:
> Hi,
>
> Error message is changed today. but same some are able to login but most of
> the user are not. Please find the below logs form ipa2 server.
>
> /var/log/secure
>
> Jan 9 11:02:59 ilt-gif-ipa02 sshd[18942]: pam_sss(sshd:auth
On Sat, Jan 07, 2017 at 02:14:45AM +, Chen Lufan wrote:
> Dear Team,
>
> I am new to freeIPA and GSS authentication so maybe someone can shed a light
> on where the issue is when I perform below ssh? Your help will be greatly
> appreciated!
>
>
> host2$ ssh -F /home/user/config u...@ho
On Mon, Jan 09, 2017 at 09:48:50AM +0100, rajat gupta wrote:
> few user are able to login. ipa ad-trust setup.
>
> ==
> Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking
> getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed -
> POSSIBLE BREAK
On Fri, Jan 06, 2017 at 11:31:31AM +0100, rajat gupta wrote:
> Hi,
>
> only few user are able to login. ipa ad-trust setup.
more details are needed here. Can you at least share sssd.conf from the
ilt-gif-ipa02?
>
> ==
> Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse
On Wed, Jan 04, 2017 at 10:39:37AM +0100, Jochen Hein wrote:
>
> Hi,
>
> I'm still working on my Debian systems to get local login to work with
> OTP.
>
> In /etc/pam.d/common-auth we have:
> auth[success=2 default=ignore] pam_unix.so nullok_secure
> auth[success=1 default=ignore]
On Mon, Jan 02, 2017 at 11:03:36PM +0530, tarak sinha wrote:
> Hi Team,
>
> I am getting below error while trying to ssh my host without password.
>
> Unspecified GSS failure. Minor code may provide more information KDC has no
> support for encryption type
Where do you see this error, on the cli
in_realm]
> .int.domain.com = INT.DOMAIN.COM
> int.domain.com = INT.DOMAIN.COM
>
> On the freeipa server’s krb5kdc.log:
>
> krb5kdc: Realm not local to KDC - while dispatching (udp)
>
> When authenticating with a non 2FA user, works fine.
>
> Anyone can hit me with a
On Thu, Dec 15, 2016 at 03:38:14PM +, Mark Steele wrote:
> Hi,
>
> Has anyone managed to make this work and if so, is there some documentation
> for doing so?
>
> I can successfully authenticate to my linux servers using 2FA, but am unable
> to get my Mac to be able to get a ticket with kin
On Wed, Dec 14, 2016 at 03:18:52PM +, James Harrison wrote:
> Hi,I installed the freeipa client on an Ubuntu Precise system (12.04)
>
> I get the following message at the end of the install:
> "Installed OpenSSH server does not support dynamically loading authorized
> user keys. Public key au
providing test-builds of the latest versions
release in Fedora for other/older platforms.
But please note those are test-build. You have to wait until CentOS
release the 7.3 packages to have an 'official' sssd-1.14 build.
HTH
bye,
Sumit
>
> Sumit Bose wrote:
> > }
> >
On Thu, Dec 08, 2016 at 09:29:34AM -0500, Chris Dagdigian wrote:
>
> Sumit Bose wrote:
> > > > Am I being stupid (again?) Obviously the krb5_validate=false setting
> > > > needs
> > > > to be fixed. Just not sure if I should work on a fix within 4.2 o
On Wed, Dec 07, 2016 at 11:34:12AM -0500, Chris Dagdigian wrote:
>
> Our problem is largely solved but we are using some "do not use in
> production!" settings so I wanted to both recap our solution and ask some
> follow up questions.
>
> Our setup:
> -
> - FreeIPA 4.2 running on Cen
On Tue, Dec 06, 2016 at 03:17:33PM -0500, List dedicated to discussions about
use, configuration and deployment of the IPA server. wrote:
>
> Appreciate the assistance!
>
> Is there a better debug level balance than 10 for this sort of situation?
> The domain logs were several hundred MBs by the
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
> Hey All,
>
> I've successfully mapped the nixadmins to the external group
> nixadmins_external. However no users in that group make it over to Free IPA
> that I can see.
>
> ipa group-add-member nixadmins_external --external "nixadmins"
>
FF-85251F39556D:E245FF24-D266-4F7E-BCF4-709611F539A6:calendar
> (null):(null):calendar
> UniqueID: 1025
> UserShell: /bin/bash
>
> Message: 5
> Date: Wed, 30 Nov 2016 09:46:42 +0100
> From: Sumit Bose
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Mac
On Tue, Nov 29, 2016 at 06:21:11PM +, Daly, John L CIV NAVAIR, 4GD
wrote:
> Greetings,
> I thumbed through the archive, but didn't find an answer. If I missed it,
> perhaps someone will be kind enough to point me in the right direction.
>
> I'm testing replacing our OpenDirectory server
On Wed, Nov 23, 2016 at 07:38:49AM -0500, Chris Dagdigian wrote:
>
> < huge log sample deleted >
>
> Sumit Bose wrote:
> > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [validate_tgt]
> > (0x0020): TGT failed verification using key for
> > [host/u
On Tue, Nov 22, 2016 at 11:17:37AM -0500, Chris Dagdigian wrote:
>
>
> Sumit Bose wrote:
> > Please send the full krb5_child.log with debug_level=10 in the
> > [domain/...] section of sssd.conf. My current guess is the ticket
> > validation fails. Which ve
On Tue, Nov 22, 2016 at 10:37:06AM -0500, Chris Dagdigian wrote:
> Upfront
> - I know this question is fairly common and I do read the list and
> archives, honest!
> - I'm following the SSSD troubleshooting wiki and running with debug
> settings for PAM and SSH
> - Still not quite sure where my
On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote:
> Hi,
>
>
> I removed the pam_winbind module. User are able to login now. But some time
> they are not. Below are logs when user are not able to login. Also SSH
see comment at the end of the email.
> login is very slow for AD user.
op=-1 fd=189 closed - B1
Sorry, I still have no idea, maybe running ldapwhoami with '-d -1' might
help to identify which step is failing.
bye,
Sumit
>
> ...
>
> Matrix
>
>
> -- Original --
> From: "Sumit Bose";;
On Wed, Nov 16, 2016 at 02:31:52PM +0100, rajat gupta wrote:
> Thanks, It is working for few user but not for every one. I have cleared
> the sssd cache as well.
> =
> /var/log/secure
>
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): authentication
> failure; logn
ease edit your Subject line so it is more specific
> > than "Re: Contents of Freeipa-users digest..."
> >
> >
> > Today's Topics:
> >
> >1. minimise impact compromised host (Stijn
On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote:
> On 11/16/2016 02:33 PM, Petr Spacek wrote:
> > On 16.11.2016 14:01, Stijn De Weirdt wrote:
> > > hi all,
> > >
> > > we are looking how to configure whatever relevant policy to minimise the
> > > impact of compromised IPA hosts (ie
On Wed, Nov 16, 2016 at 01:01:59PM +0100, Sumit Bose wrote:
> On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote:
> > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on
> > Active Directory side I am using UPN suffix.
> > Following are my doma
On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote:
> I am using FreeIPA version 4.4.0 Active Directory trust setup. And on
> Active Directory side I am using UPN suffix.
> Following are my domain setup.
>
> AD DOMANIN :- corp.addomain.com
> UPN suffix :- usern...@mydomain.com
> IPA DOMA
e.stg.example.net
> BASE dc=example,dc=net
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> TLS_REQCERT allow
> SASL_NOCANON on
>
>
> # cat /etc/krb5.conf| grep rdns
> rdns = false
>
> Matrix
>
> -- Original --
> From
On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> debug steps have been tried:
>
> 1 kinit is workable:
> # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
>
> # /usr/kerberos/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/client02.stg.exampl
On Fri, Nov 04, 2016 at 01:41:40PM +0200, Taras Drach wrote:
> Hello Sumit,
> I’ve tried to use this attr, but still no success
>
> Also I found the solutions where sss_ssh_authorizedkeys replaced with custom
> scripts for queuing ldap and get necessary attribute
> I think there is hardcoded “ssh
ecurityIdentities:altSecurityIdentities
>ldap_user_ssh_public_key = altSecurityIdentities
>ldap_id_mapping = False
>
> > On Nov 3, 2016, at 5:05 PM, Sumit Bose wrote:
> >
> > sshPublicKey:
>
--
Manage your subscription for the Freeipa-users mailing list:
On Thu, Nov 03, 2016 at 04:35:30PM +0200, Taras Drach wrote:
> Hello everyone!
>
> I want to implement next scheme:
>
> 1. Use AD as place for user management
> 2. Store ssh public keys in AD
> 3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and
> authorisation on the linux
On Mon, Oct 31, 2016 at 04:17:08PM -0400, Geordie Grindle wrote:
>
> Hello,
>
> I’m unable to ssh as ‘root’ onto any of my new CentOS 7 hosts. I’ve always
> been able to do so on CentOS6.x
>
> We normally have the file ‘/root/.k5login’ listing the designated system
> admins’ principals. Once o
On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote:
> hi all
>
> I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB
> (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
> I realize that to assume versions differences cause it is bit silly but
> nothing changed except update
On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote:
> Hi,
>
> thank you for help.
>
> This is my sssd.conf from server :
>
> [domain/vs.example.cz]
> debug_level = 7
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = vs.example.cz
> id_provider = i
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote:
> Hi,
> please can you help me with troubleshooting IPA clients in IPA - AD trust
> scenario ? We have two IPA servers and couple of clients running on RHEl 6
> and 7. IPA is running on RHEL 7.2.
> AD servers are in domains example.cz
On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote:
> Thank you for this information. Yes, /tmp is writable.
>
> My problem is : access are sometimes definitively refused for random
> user
> who wants to log in diskless workstations.
> But if this banned user t
On Thu, Oct 06, 2016 at 09:55:30PM +0100, Alessandro De Maria wrote:
> The workaround worked thank you!
Great, glad I could help.
bye,
Sumit
>
> On 6 Oct 2016 5:09 pm, "Sumit Bose" wrote:
>
> > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote:
On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote:
> Hello,
>
> We are moving some of our servers to use 16.04 and for all new installs I
> have noticed that I am unable to fetch the ssh_authorized keys from the
> server.
>
> /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zz
On Thu, Sep 29, 2016 at 12:07:13PM -0400, Prasun Gera wrote:
> I need to set SELinux to enforcing to get the relevant SSSD logs, right ?
yes, I think this would help to identify the operation which triggers
the AVC because it should fail.
bye,
Sumit
>
> On Thu, Sep 29, 2016 at 3:42
On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> I started seeing some selinux errors on one of my RHEL 7 clients recently
> (possibly after a recent yum update ?), which prevents users from logging
> in with passwords. I've put SELinux in permissive mode for now. Logs follow
This so
On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
>
> > Yes, this makes sense as well. If you are not in the forest root you
> > first need a cross-realm TGT for your domain and the forest root. Then
> > you need a cross-realm TGT for the forest root and the IPA domain.
> >
> > As a
On Wed, Sep 28, 2016 at 10:33:43AM +0200, Troels Hansen wrote:
>
>
> - On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> > Kerberos communication is typically started via UDP. But th
On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote:
>
>
> - On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
>
> > About the DNS SRV records, did you add matching records for _udp as
> > well? I'm not sure if the AD client will
On Mon, Sep 26, 2016 at 01:11:49PM +0200, Troels Hansen wrote:
>
>
> - On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote:
>
> >
> > Have you checked the firewalls? AD clients must be able to talk to the
> > KDC port (88 udp and tcp) on the IPA
On Mon, Sep 26, 2016 at 09:25:46AM +0200, Troels Hansen wrote:
> After we installed a new set of IPA servers for prod, and joined AD using
> username and password to have AD create a correct suffix routing everythin
> seems to work, and the suffix routing is created correctly on AD.
>
> However
On Thu, Sep 22, 2016 at 08:17:21AM +, Deepak Dimri wrote:
> Hi All,
>
>
> I am trying hard to get my 2FA working with FreeIPA but every effort of mine
> going waste! I have referred earlier forum emails but could not find any good
> reply on the issue i am facing.
>
>
> This is what i am
On Wed, Sep 21, 2016 at 09:47:12AM +0200, Jan Karásek wrote:
> Hi,
>
> I have a question about the IPA-AD trust scenario where POSIX attributes are
> store in AD.
Although I describe some possible solution below I wonder if using IPA
overrides which allow to add public ssh keys for AD user wou
On Tue, Sep 20, 2016 at 09:33:21AM +0300, Alexander Bokovoy wrote:
> On Tue, 20 Sep 2016, Martin Babinsky wrote:
> > On 09/20/2016 12:17 AM, Simpson Lachlan wrote:
> > > > -Original Message-
> > > >
> > > > On 09/19/2016 03:12 AM, Lachlan Musicman wrote:
> > > > > Hi
> > > > >
> > > > > S
gin the new package is not
automatically installed during update.
bye,
Sumit
>
> Rob Verduijn
>
> 2016-09-13 9:03 GMT+02:00 Sumit Bose :
>
> > On Tue, Sep 13, 2016 at 08:51:48AM +0200, Rob Verduijn wrote:
> > > Hi all,
> > >
> > > Yesterday my fedor
On Tue, Sep 13, 2016 at 08:51:48AM +0200, Rob Verduijn wrote:
> Hi all,
>
> Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24.
>
> Then after the reboot the nfs-idmap service told me it couldn't start
> because it could not find method sss.
>
> So I filed a bug report and t
On Wed, Sep 07, 2016 at 09:55:45AM +0200, Troels Hansen wrote:
>
>
> - On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote:
>
> > Additionally please check the klist output on the Windows client. It
> > should show the host principal of the Linux client
>
On Wed, Sep 07, 2016 at 10:27:17AM +0300, Alexander Bokovoy wrote:
> On Wed, 07 Sep 2016, Troels Hansen wrote:
> > Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
> > and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
> > been enabled, and GSSAPI is enabled i
On Fri, Aug 26, 2016 at 08:39:05AM -0400, William Muriithi wrote:
> Morning
>
> I have been struggling with nfsidmap issue for a couple of days and
> wouldn't mind a fresh eyes.
>
> Essentially, I have a FreeIPA that has a trust relationship with AD.
> The AD is on domain example-corp.example.com
domain the two directories are sufficient.
bye,
Sumit
>
>
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
>
> thanks
> ━━━
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > > > On (16/07/16 10:19), Martin Štefany wrote:
&g
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > On (16/07/16 10:19), Martin Štefany wrote:
> > >
> > > Hello Sumit,
> > >
> > > seems that upgrade to F24 broke things again. This time no AVCs, empty
> > > SSSD
> > > l
>
>
> Cheers
> L.
>
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 12 July 2016 at 09:08, Lachlan Musicman wrote:
>
> > Alex, Sumit,
> >
> > Which lo
1 - 100 of 427 matches
Mail list logo