[Freeipa-users] Re: ipsilon
Andrew Meyer via FreeIPA-users wrote: > Not sure if this is the right place for support w/ ipsilon. But I got > it installed and I'm able to browse the to website and login now. > However when I go to the login stack there are some button to the right > of the login plugins, and they say ↑ ↓ that's it. What does > that mean? Also I've enabled saml2, form, ipa, gssapi and secure as > security providers yet I only see saml2. Is this normal? You want https://lists.fedorahosted.org/admin/lists/ipsilon.lists.fedorahosted.org/ You are confusing the protocols. SAML2 is the protocol that the SP uses to request authentication for a user from the IdP. form, ipa, gssapi, etc. are the protocols used to authenticate the user on the IdP. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FKX2NVHEDTTF7MHBL5HUNSVY6ZSL4TZ2/
[Freeipa-users] ipsilon
Not sure if this is the right place for support w/ ipsilon. But I got it installed and I'm able to browse the to website and login now. However when I go to the login stack there are some button to the right of the login plugins, and they say ↑ ↓ that's it. What does that mean? Also I've enabled saml2, form, ipa, gssapi and secure as security providers yet I only see saml2. Is this normal? Has anyone configured this with any atlassian products? Regards,Andrew___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/W7BS5AOHMP6R62XMP37PUPLSZ4YUZCY5/
[Freeipa-users] Re: pam,mkhomedir and umask with freeIPA
Thanks Rob. So where, in the oddjobd-*mkhomedir.conf , *can I add the umask I want? Cheers On Wed, Jun 6, 2018 at 5:43 PM Rob Crittenden wrote: > Alfredo De Luca via FreeIPA-users wrote: > > Hi all. > > We have pam entry (below) and we wanna change the umask when a new > homedir for an existing user is created. we modified the umaks but doesnt > work. > > We have sssd integrated with freeIPA to manage all user etc. > > > > Any clue? > > > > session optional pam_oddjob_mkhomedir.so umask=0770 > > From pam_oddjob_mkhomedir(8): > > The location of the skeleton directory and the default umask are deter‐ > mined by the configuration for the corresponding service in oddjobd- > mkhomedir.conf, so they can not be specified as arguments to this mod‐ > ule. > > rob > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/U3Z74H3KGAV62UL3KA2WPQGI6J7GDLGD/
[Freeipa-users] Re: pam,mkhomedir and umask with freeIPA
Alfredo De Luca via FreeIPA-users wrote: > Hi all. > We have pam entry (below) and we wanna change the umask when a new homedir > for an existing user is created. we modified the umaks but doesnt work. > We have sssd integrated with freeIPA to manage all user etc. > > Any clue? > > session optional pam_oddjob_mkhomedir.so umask=0770 From pam_oddjob_mkhomedir(8): The location of the skeleton directory and the default umask are deter‐ mined by the configuration for the corresponding service in oddjobd- mkhomedir.conf, so they can not be specified as arguments to this mod‐ ule. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XFM5Z4VLP4HUNHNVN2LXOZPW3WVT6OZD/
[Freeipa-users] pam,mkhomedir and umask with freeIPA
Hi all. We have pam entry (below) and we wanna change the umask when a new homedir for an existing user is created. we modified the umaks but doesnt work. We have sssd integrated with freeIPA to manage all user etc. Any clue? session optional pam_oddjob_mkhomedir.so umask=0770 Cheers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/26A47DM4UKUVIFK3GED2UAXYREH2LISC/
[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server
On Wed, Jun 06, 2018 at 02:30:56PM -, Bart via FreeIPA-users wrote: > Hi Jakub, thank you for help. > > I cannot resolve all of the users nor their groups on a client hosts. getent > passwd doesn't return anything, su - user@ad.domain doesn't work either. > > All AD users I tried get resolved on the FreeIPA servers. For the one account > it gets resolved on one client host but on another client host it fails. It's hard to say without the complete logs, but very often this reason is that one or more of the user's groups can't be resolved on the client. If you do id $username on the client and then try their group on the server, do at least some of them resolve (getent group $groupname) Alternatively, you can look at the sssd_nss.log on the server and check for getgrgid lookups and see if some of them fail. > > Oddly, I can see in server's /var/log/sssd/ad_domain.log that upon issuing su > - user@ad.domain on a client host group membership is being resolved. User is > not resolved on the client host though. > > The only suspicious thing I can find in the logfiles is this entry but I do > not know if it is the culprit or not: > > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_error_to_errno] > (0x0020): LDB returned unexpected error: [No such attribute] > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_mod_group_member] > (0x0400): Error: 14 (Bad address) > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_update_members_ex] > (0x0020): Could not remove member [user@ad.domain] from group > [name=some_group@ad.domain,cn=groups,cn=ad.domain,cn=sysdb]. Skipping Since the message says skipping, I'm quite certain that it's not the problem. > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] > (0x1000): Domain ipa.domain is Active > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] > (0x1000): Domain ad.domain is Active > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): start ldb > transaction (nesting: 1) > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x55bdb > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XM245EV3SEIUYDKNFNJNHDN6V2E6ST77/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PIBGTOUWOADVB5K6O6Z57LLI5BIVI2VN/
[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server
Hi Jakub, thank you for help. I cannot resolve all of the users nor their groups on a client hosts. getent passwd doesn't return anything, su - user@ad.domain doesn't work either. All AD users I tried get resolved on the FreeIPA servers. For the one account it gets resolved on one client host but on another client host it fails. Oddly, I can see in server's /var/log/sssd/ad_domain.log that upon issuing su - user@ad.domain on a client host group membership is being resolved. User is not resolved on the client host though. The only suspicious thing I can find in the logfiles is this entry but I do not know if it is the culprit or not: (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_update_members_ex] (0x0020): Could not remove member [user@ad.domain] from group [name=some_group@ad.domain,cn=groups,cn=ad.domain,cn=sysdb]. Skipping (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] (0x1000): Domain ipa.domain is Active (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] (0x1000): Domain ad.domain is Active (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55bdb ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XM245EV3SEIUYDKNFNJNHDN6V2E6ST77/