[Freeipa-users] Re: error 15 in memberof.so
On (18/07/18 13:39), Bret Wortman via FreeIPA-users wrote: >I've got a system (probably more than one) where I've got clients who aren't >able to bring up SSSD due to this error, as seen in "journalctl -xe". > >I've tried unenrolling & re-enrolling. I've tried unenrolling, uninstalling, >reinstalling ipa-client, and re-enrolling. I've tried unenrolling, deleting >the host records from the IPA server, then re-enrolling. I've tried >reinstalling SSSD. None have changed the behavior at all. > >Does anyone know what this error refers to or is caused by? > I assume it is due to mixed version of sssd and libldb. There was ABI change in libldb 1.1.30/1.2.0 Please provide version of these pacakges. Or even better ensure you use up-to-date system. (In case of external repositories it might be more complicated) LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/F2U22ODNXNBXQYD4XTDY3Q7SFN6FSPU2/
[Freeipa-users] Re: ipa-client-install changed SELinux Booleans
On (23/01/18 15:01), Eric Scholwin via FreeIPA-users wrote: >Interesting thought, I figured something had to have changed it, but what >would cause this to occur on my production box and not my test box? Both boxes >needed to install the exact same packages and dependencies, but this didn't >occur on the test box, only the production box. Going to dig further on this >either way, thanks for your input. > And few SElinux booleans are changed in scriptlets. Not directly in ipa but required packages e.g. https://git.centos.org/blob/rpms!bind-dyndb-ldap.git/fd9006926e5457f367ae623933b3793505f15867/SPECS!bind-dyndb-ldap.spec#L75 LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: how to avoid ntpd?
On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote: >Anvar Kuchkartaev via FreeIPA-users wrote: >> If you installed freeipa service or client with option --no-ntp then it >> won't use ntp to synchronise clock. >> >> If you have already ipa server with ntpd installed: >> >> https://www.redhat.com/archives/freeipa-users/2014-August/msg00197.html > >As I read it he has the reverse problem. He installed with NTP support >and now wants to remove it. > >You need to remove NTP as a managed IPA service by removing the entry: > >cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com > >ipactl will no longer try to start the service. > >Note that without good time then you may run into serious issues with >Kerberos and replication. > I do not have any time related problems with chronyd + fedora *default* configuration. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA wiki: troubleshooting
On (13/11/17 12:45), Florence Blanc-Renaud via FreeIPA-users wrote: >Hi all, > >FreeIPA wiki contains a really long page for Troubleshooting [1], and I would >like to re-organize the content a little bit differently. > +1 for the effort. BTW it might be good to have a section with links to troubleshooting of "subcomponents" DNS(bind-dyndb-ldap), client(SSSD) ... LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5
On (07/11/17 10:34), Sigbjorn Lie via FreeIPA-users wrote: >Hi, > >I would also prefer to stop using an unsupported distribution. Unfortunately >not all application vendors have updated their software, which prevents the >upgrade of these machines to a newer and supported distribution. > For such setup I would recommend to run sssd on el7 and application in container with el5 + bind mount /var/lib/sss/pipes/ from host to container. Such setup should be a little bit more secure. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA Sudo Issue
On (10/10/17 12:47), Alka Murali via FreeIPA-users wrote: >Hello Team, > >I have integrated my Ubuntu/Debian and CentOS Servers as IPA Clients to my >FreeIPA Server. The custom sudo rule added by me also works for the users >assigned to the rule. > >The first login attempt as well as sudo access works fine. However if the >user logins later or after few days, the sudo user is not recognised and >inturn the user is getting locked out of the server. I have tested this and >can see that even though there is no failed attempt by the user on the >server, pam_sss is giving access_denied error message which intunrs blocks >the user for ever. > >Is there any sort of pam settings that needs to be applied? > I would recommend to check following pages: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html I'm soory but it is not possible to help without more details. It is impossible it is a bug so you can test with never version of sssd 1.15.x otherwise please file a bug https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't log on using password when /tmp is full
On (19/09/17 18:46), Florence Blanc-Renaud via FreeIPA-users wrote:
>On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote:
>> Hi,
>>
>> When /tmp is full, it is impossible to authenticate with Kerberos. Login
>> with password over SSH and sudo don't work. Login with ssh key works fine.
>> Here is the output in the system log when I try to log on via SSH with
>> password auth (this is on RHEL 6):
>>
>> Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
>> Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917
>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O
>> operation failed XXX
>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O
>> operation failed XXX
>> Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from
>> 192.168.1.48 port 49917 ssh2
>> Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
>>
>> From SSH I get:
>> Permission denied, please try again.
>>
>> The problem seems to be that Kerberos can't store its credentials cache. Is
>> this normal, and is there a way around it? Sure, ideally I should limit the
>> space usable by each user, but that doesn't help when a given user needs to
>> log in and fix their tmp usage.
>>
>> Thanks,
>> Marius
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>Hi,
>
>the location of the credential cache can be specified either using the
>environment variable $KRB5CCNAME or globally in /etc/krb5.conf (with the
>setting default_ccache_name, or default value FILE:/tmp/krb5cc_%{uid} if not
>specified).
>
>Please note that more recent version of freeIPA configure default_ccache_name
>= KEYRING:persistent:%{uid}
>
Just a note that setting KEYRING collection ccache requires quite new kernel
and mit krb5 (upstream 1.12 IIRC).
So the correct answer should be recent version of freeIPA on rhet7 and fedora
:-)
LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
On (11/09/17 07:42), Igor Sever via FreeIPA-users wrote: >Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use >policies somehow? Yes you can, but sssd-1.11.5.1 was quite broken and contained many bugs. 1.11.8 should be much better but from sssd upstream POV 1.13 is long term maintenance branch. Older branches are not supported by upstream anymore. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Fedora 26 upgrade, mkhomedir stops working
On (11/08/17 14:17), Steve Weeks via FreeIPA-users wrote: >We are running FreeIPA 4.4 > >I just upgraded a system from fedora 25 to fedora 26 using dnf. > >The first problem is that the mkhomedir option is lost. I've reinstated it >with: > >authconfig --enablemkhomedir --update > >The second problem is that AD users still can't login. This is a server >system with a tty style login. The response from login is "Login >incorrect". When I look in the logs, I see "Permission denied". hbactest >says that the users should have access. > Which pam service was denied? @see also https://bugzilla.redhat.com/show_bug.cgi?id=1474899#c8 LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Unable to SSH into Linux machine using AD user
On (07/08/17 11:08), Supratik Goswami via FreeIPA-users wrote:
>Hi
>
>I am using trust between AD and IPA
>
>AD domain: ad.corp.example.com
>IPA domain: ipa.corp.example.com
>
>I am able to login using SSH to the IPA server using the AD user, when I am
>trying to login using
>SSH to the Linux client which is a member of the IPA domain it does not
>work.
>
>Please find my /etc/krb5.conf in the client machine below
>
>[libdefaults]
> #default_realm = IPA.CORP.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
># default_ccache_name = KEYRING:persistent:%{uid}
>
>
>[realms]
> IPA.CORP.EXAMPLE.COM = {
>kdc = ipa01.ipa.corp.example.com:88
>master_kdc = ipa01.ipa.corp.example.com:88
>admin_server = ipa01.ipa.corp.example.com:749
>#default_domain = ipa.corp.example.com
>pkinit_anchors = FILE:/etc/ipa/ca.crt
>auth_to_local = RULE:[1:$1@$0](^.*@AD.CORP.EXAMPLE.COM$)s/@
>AD.CORP.EXAMPLE.COM/@ad.corp.example.com/
>auth_to_local = DEFAULT
>
> }
>
> AD.CORP.EXAMPLE.COM = {
>kdc = ad01.ad.corp.example.com:88
>master_kdc = ad01.ad.corp.example.com:88
> }
>
>[domain_realm]
> .ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> .ad.corp.example.com = AD.CORP.EXAMPLE.COM
> ad.corp.example.com = AD.CORP.EXAMPLE.COM
>
>
>Please find my SSD config below
>
>[sssd]
>config_file_version = 2
>services = nss, sudo, pam, ssh
>domains = ipa.corp.exampl.com
>
>[nss]
>homedir_substring = /home
>
>[domain/ipa.corp.example.com]
>debug_level = 9
>krb5_store_password_if_offline = True
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ipa.corp.example.com
>ipa_hostname = host01.ipa.corp.example.com
>ipa_server = _srv_, ipa01.ipa.corp.example.com
>chpass_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>dns_discovery_domain = ipa.corp.example.com
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>
>Please find the krb5_child.log attached.
>
Which version of sssd do you use?
BTW here might be a reason:
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785 [main] (0x0400): Will
perform online auth
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [AD.CORP.EXAMPLE.COM]
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711333: Getting initial
credentials for supratik.gosw...@ad.corp.example.com
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711406: FAST armor
ccache:
+MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711468: Retrieving
host/sup01.sg.aws.example@ipa.corp.example.com ->
+krb5_ccache_conf_data/fast_avail/krbtgt\/AD.CORP.EXAMPLE.COM\@AD.CORP.EXAMPLE.COM@X-CACHECONF:
from MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM with result:
+-1765328243/Matching credential not found
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711534: Sending request
(192 bytes) to AD.CORP.EXAMPLE.COM
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711658: Resolving
hostname
[Freeipa-users] Re: FreeIPA 2FA CentOS 6
On (28/07/17 15:39), Devin Acosta via FreeIPA-users wrote: >I have noticed that when I enable FreeIPA all my CentOS 7.x boxes work via >SSH just fine, however none of my CentOS 6 boxes work. I read that 2FA >didn't come until CentOS 7.1. So my question is does 2FA via SSH not work >at all if you have a RHEL 6 / CentOS 6 server? Just curious. > 2FA (OTP) cannot work on rhel6 because there is old version of krb5-libs and therefore such feature is disabled in sssd at compile time. You need to use et least l7 LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: diskless workstations in an IPA domain
On (21/07/17 17:20), Jacquelin Charbonnel via FreeIPA-users wrote: >Hi everybody, > > At now, I enroll diskless Fedora26 workstations (with stateless Linux) > into >my IPA domain. > Inside the readonly root image, /etc/sysconfig/selinux points : > >SELINUX=disabled >SELINUXTYPE=targeted > >and /etc/sssd/sssd.conf points : > >[domain/math] >selinux_provider = none >debug_level=0x0070 >... > > So, authentication of a domain account seems well working, but > nevertheless >at each time, journalctl says : > >juil. 21 16:11:32 pc-f26.math systemd-coredump[22019]: >Process 22017 (selinux_child) of user 0 dumped core. > >Stack trace of thread 22017: >#0 0x7f60bac8dd24 semanage_seuser_key_free (libsemanage.so.1) >#1 0x5639b0b5326d set_seuser (selinux_child) >#2 0x5639b0b52a3f main (selinux_child) >#3 0x7f60ba8b94da __libc_start_main (libc.so.6) >#4 0x5639b0b52dba _start (selinux_child) > Please file a fedora bug to sssd and attach coredump there. Or all data caught by abrt. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: docker container user no matching entries in passwd file
On (17/07/17 09:54), Thomas Lau via FreeIPA-users wrote: >docker-host# docker run --user=testaccount1 -d -p 9001:9001 e7b263ac54e2 >990c220ccb30b5012e7e5aa45f7e9345098cdb867328302daff567474055de02 >docker: Error response from daemon: linux spec user: unable to find user >testaccount1: no matching entries in passwd file. > > > >docker-host# getent passwd testaccount1 >testaccount1:*:1218400025:1218400025:test >account:/local/home/testaccount1:/bin/bash > >anyone know how exactly can I run docker contain on accounts which is in >FreeIPA? > Use UID erinstead of name e.g. [root@host ~]# docker run --user=lslebodn -ti fedora:26 uname /usr/bin/docker-current: Error response from daemon: linux spec user: unable to find user lslebodn: no matching entries in passwd file. [root@host ~]# docker run --user=`id -u lslebodn` -ti fedora:26 uname Linux LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3
On (07/06/17 10:21), Jose Alvarez R. via FreeIPA-users wrote: >Hello > > > >A question > > > >What another way I can enroll my server client on my IPA server ? > > > >I have a server IPA with S.O. Fedora 24 and >freeipa-server-4.3.3-1.fc24.x86_64 > > > >My client server have a S.O. CentOS release 5.10 with Just for your information CentOS 5 is not supported anymore https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html If you care about security fixes. Then I would recommend to migrate CentOS 6 or even 7 LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
