[Freeipa-users] Re: AD trust setup woes
There is IPA provider, but no sssd_pac module. [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find where access is enforced with LDAP filter in SSSD configuration in that case. Thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use policies somehow? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
sssd-krb5-common-1.11.5.1-14.1.x86_64 sssd-32bit-1.11.5.1-28.1.x86_64 sssd-ad-1.11.5.1-14.1.x86_64 sssd-ipa-1.11.5.1-14.1.x86_64 python-sssd-config-1.11.5.1-14.1.x86_64 sssd-1.11.5.1-14.1.x86_64 sssd-tools-1.11.5.1-14.1.x86_64 sssd-krb5-1.11.5.1-14.1.x86_64 sssd-ldap-1.11.5.1-14.1.x86_64 ipa-client:~ # rpm -qa | grep krb5 sssd-krb5-common-1.11.5.1-14.1.x86_64 krb5-plugin-preauth-pkinit-1.12.1-19.1.x86_64 libndr-krb5pac0-4.2.4-28.3.1.x86_64 krb5-1.12.1-36.4.x86_64 libndr-krb5pac0-32bit-4.2.4-28.3.1.x86_64 krb5-client-1.12.1-19.1.x86_64 sssd-krb5-1.11.5.1-14.1.x86_64 krb5-32bit-1.12.1-36.4.x86_64 On Suse site there is no any info about integration with FreeIPA. They are mostly focused on LDAP authentication. No mention of sssd_pac existing in their sssd packages. I think I am out of luck with this. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
It looks like my problems with AD trust on server side went away when I upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way. I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not fully featured as RHEL or Centos. Basic authentication is working , but policies are not working because group membership is not available on SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get it to work. In krb5_child.log I see error: [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [**] might not be correct. When I try to enable PAC service starting of SSSD fails and I get: [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory I installed all packages related to SSSD and all dependencies. Is PAC service necessary for group resolution? Is there any other option? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA should not just presume that we have gidNumber on all accounts. Where should I look for settings that you specify? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ It is obvious that FreeIPA integration with AD is not production ready, and probably never will be for numerous reasons, just like samba... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
