[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

2018-01-04 Thread Cody Rathgeber via FreeIPA-users 
Thanks,

Here's what I get in the sssd nss log with debug level set to 6;

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [*] from []

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [*@redacted.net]

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x417c90:1:*@redacted.net]

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [redacted.net][4097][1][name=*]

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x417c90:1:*@redacted.net]

(Thu Jan  4 14:35:56 2018) [sssd[nss]] [nss_cmd_getby_dp_callback]
(0x0040): Unable to get information from Data Provider

Error: 1, 11, Fast reply - offline


Now i know the data provider is up because the 16.04 machines can get to
it, all the "redacted.net"s are the proper domain, the clients can resolve
everything fine. is the using default domain [(null)]
At the top something I should be worried about? kinit admin username also
works so I know kerberos is working fine.

On Thu, Jan 4, 2018 at 2:20 PM, Rob Crittenden  wrote:

> Cody Rathgeber via FreeIPA-users wrote:
> > Hello,
> >
> > I'm trying to deploy freeipa to an environment running a mix of ubuntu
> > 16.04 and 14.04 servers.
> > on 16.04 the servers join and can pull down users no problem, on 14.04
> > when joining it'll throw a
> >
> > "Unable to find 'admin' user with 'getent passwd ad...@redacted.net
> > '!:"
> >
> >
> > And sure enough getent passwd won't pull details, and thus no accounts
> > can be pulled down as far as I can tell.
> >
> > It works on every 16.04 machine and fails on every 14.04. Anyone have
> > any tips/ideas on how i'd go about troubleshooting this? This is with
> > doing an apt-get install freeipa-client and ipa-client-install.
>
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

2018-01-04 Thread Jochen Hein via FreeIPA-users 
Cody Rathgeber via FreeIPA-users 
writes:

> I'm trying to deploy freeipa to an environment running a mix of ubuntu
> 16.04 and 14.04 servers.
> on 16.04 the servers join and can pull down users no problem, on 14.04 when
> joining it'll throw a
>
> "Unable to find 'admin' user with 'getent passwd ad...@redacted.net'!:"

What packages do you use on 14.04?  I'm using the packages from
ppa:freeipa/4.0.  What's your IPA server release?

There were also reports about sssd problems:
https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

2018-01-04 Thread Rob Crittenden via FreeIPA-users 
Cody Rathgeber via FreeIPA-users wrote:
> Hello,
> 
> I'm trying to deploy freeipa to an environment running a mix of ubuntu
> 16.04 and 14.04 servers.
> on 16.04 the servers join and can pull down users no problem, on 14.04
> when joining it'll throw a 
> 
> "Unable to find 'admin' user with 'getent passwd ad...@redacted.net
> '!:"
> 
> 
> And sure enough getent passwd won't pull details, and thus no accounts
> can be pulled down as far as I can tell. 
> 
> It works on every 16.04 machine and fails on every 14.04. Anyone have
> any tips/ideas on how i'd go about troubleshooting this? This is with
> doing an apt-get install freeipa-client and ipa-client-install.

https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] freeipa client working on ubuntu 16.04 but not 14.04

2018-01-04 Thread Cody Rathgeber via FreeIPA-users 
Hello,

I'm trying to deploy freeipa to an environment running a mix of ubuntu
16.04 and 14.04 servers.
on 16.04 the servers join and can pull down users no problem, on 14.04 when
joining it'll throw a

"Unable to find 'admin' user with 'getent passwd ad...@redacted.net'!:"


And sure enough getent passwd won't pull details, and thus no accounts can
be pulled down as far as I can tell.

It works on every 16.04 machine and fails on every 14.04. Anyone have any
tips/ideas on how i'd go about troubleshooting this? This is with doing an
apt-get install freeipa-client and ipa-client-install.

Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled

2018-01-04 Thread Martin Basti via FreeIPA-users 
Hello,

Could you be more specific about your configuration.

How did you disabled forwarder, what is your forwarder configuration

Martin
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: client fails - requested domain name does not match the server's certificate

2018-01-04 Thread Natxo Asenjo via FreeIPA-users 
On Thu, Jan 4, 2018 at 7:01 PM, lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

[knip]

Joining realm failed: libcurl failed to execute the HTTP POST transaction,
> explaining:  Unable to communicate securely with peer: requested domain
> name does not match the server's certificate.
>

that's your problem right there, your server certificate does not match the
server dnsname.

Why are you not using autodiscovery and forcing to use this server?

--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] New replica (4.5) issues

2018-01-04 Thread john.bowman--- via FreeIPA-users 
After some trial and error I was finally able to get a new replica + CA 
(RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 
3.0 - 4.x) and the ipa-replica-install command completed successfully but now 
when I run the ipa-manage-replica -v list  command I see this:

# ipa-replica-manage -v list ipa5.domain.tld
Directory Manager password:

ipa1.domain.tld: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (3) Replication error acquiring replica: Unable to 
acquire replica: permission denied. The bind dn does not have permission to 
supply replication updates to the replica. Will retry later. (permission denied)
  last update ended: 1970-01-01 00:00:00+00:00

I ran the ipa-replica-manage re-initialize and it runs successfully and the 
above permission denied error goes away but the host can not be connected to 
any other replicas, it no longer sees itself as a replica or csreplica.  I 
assume this is due to the re-init.   I'm leery of trying to force it to try and 
join and potentially cause more issues.   I would appreciate any helpful 
suggestions.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: debian 8 freeipa-client

2018-01-04 Thread Andrew Radygin via FreeIPA-users 
Flo, of course it installed.

# which python
/usr/bin/python

# python -V
Python 2.7.14+

=
It seems Timo is right.
Update python-six to 1.11 and dpkg --configure executed successful.

BUT, I've next error :)

# ipa-client-install ..
There was a problem importing one of the required Python modules. The
error was:

No module named SSSDConfig

=
After that I've installed python-sss 1.15 package and further enrollment
complete without errors.

Thanks to all for assistance.

Why in debian installing of the ipa client so cumbersome?

2018-01-04 16:41 GMT+03:00 Timo Aaltonen :

> On 04.01.2018 12:48, Andrew Radygin via FreeIPA-users wrote:
> > Flo,
> > I've checked certmonger dbus config - it's okay and identical to another
> > one working.
> > But after restart dbus - certmoner configured and installed successful.
> >
> > Although I have another problem error now:
> >
> > 
> > # apt-get install freeipa-client
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > freeipa-client is already the newest version.
> > 0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
> > 1 not fully installed or removed.
> > After this operation, 0 B of additional disk space will be used.
> > Do you want to continue? [Y/n]
> > Setting up freeipa-client (4.4.4-4) ...
> > dpkg: error processing package freeipa-client (--configure):
> >  subprocess installed post-installation script returned error exit
> status 1
> > Errors were encountered while processing:
> >  freeipa-client
> > E: Sub-process /usr/bin/dpkg returned an error code (1)
> > ===
> >
> > # ps auxf |grep cert
> > root 11868  0.0  0.0  12772   980 pts/0S+   13:35
> > 0:00  \_ grep cert
> > root 11781  0.0  0.1  70728  5072 ?Ss   13:31   0:00
> > /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
> >
> > # cat /var/log/dpkg.log
> > 2018-01-04 13:31:26 startup packages configure
> > 2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 
> > 2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
> > 2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
> > 2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 
> > 2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
> > 2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
> > 2018-01-04 13:32:03 startup packages configure
> > 2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 
> > 2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4
> >
> > ===
> >
> > From /var/lib/dpkg/info/freeipa-client.postinst I've found following log
> > file - /var/log/ipaclient-upgrade.log
> > And there is such messages:
> >
> > Traceback (most recent call last):
> >   File "", line 1, in 
> >   File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31,
> > in 
> > from ipalib import x509
> >   File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885,
> > in 
> > from ipalib import plugable
> >   File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41,
> > in 
> > from ipalib import errors
> >   File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in
> > 
> > from ipalib.text import ngettext as ungettext
> >   File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
> > 
> > @six.python_2_unicode_compatible
> > AttributeError: 'module' object has no attribute
> > 'python_2_unicode_compatible'
>
> python-six is too old, 1.8.0 doesn't have that, 1.10.0 from stretch
> (Debian 9) does.
>
>
>
> --
> t
>



-- 
Best regards, Andrew.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

2018-01-04 Thread David Harvey via FreeIPA-users 
Point No.2 Is now sorted. It was the old missing Subject Alternative Name
extension in certificate problem (which I had only seen with https until
now!).
I would still love to know if I need to live in fear of the other errors
though :)

On 4 January 2018 at 12:25, David Harvey 
wrote:

> Dear list,
>
> In trying to escape from the various issues facing the ubuntu freeipa, I
> attempted to make the switch to Fedora 26 (same freeipa version 4.4.4).
>
> This seemed to go well (adding new replica first, and then replacing the
> ubuntu based installs), but I notice on my fedora boxes several warnings in
> /v/l/messages (pasted below).  Firstly, are these harmful, and what might I
> need to rectify!? I have a half baked theory that this might relate to some
> of the aspects that were broken in ubuntu and carrying their breakage
> across to the new platform!
>
> Secondly - could they relate to an issue I am seeing where one specific
> LDAPS client application is failing to verify the ldap server cert (even
> thought other clients are quite happy talking to it) since the ipa server
> reinstall?
>
> Advice appreciated, thank you in advance!
>
> David
>
>
>
>
> Jan  4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file
> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
> [false]
> Jan  4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'enableOCSP' to 'false' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspResponderURL' to 'http://ipa3.thomac.net:9080/
> ca/ocsp' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspResponderCertNickname' to 'ocspSigningCert
> cert-pki-ca' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspCacheSize' to '1000' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspMinCacheEntryDuration' to '60' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspTimeout' to '10' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'strictCiphers' to 'true' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not
> find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_
> RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-
> SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_
> WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching
> property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_
> SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_
> RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_
> WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_
> RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_
> FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_
> RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_
> AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_
> CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_
> RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_
> SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_
> WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_
> SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_
> CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_
> 3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_
> AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_
> DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_
> SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_
>

[Freeipa-users] Re: debian 8 freeipa-client

2018-01-04 Thread Timo Aaltonen via FreeIPA-users 
On 04.01.2018 12:48, Andrew Radygin via FreeIPA-users wrote:
> Flo,
> I've checked certmonger dbus config - it's okay and identical to another
> one working.
> But after restart dbus - certmoner configured and installed successful.
> 
> Although I have another problem error now:
> 
> 
> # apt-get install freeipa-client
> Reading package lists... Done
> Building dependency tree  
> Reading state information... Done
> freeipa-client is already the newest version.
> 0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
> 1 not fully installed or removed.
> After this operation, 0 B of additional disk space will be used.
> Do you want to continue? [Y/n]
> Setting up freeipa-client (4.4.4-4) ...
> dpkg: error processing package freeipa-client (--configure):
>  subprocess installed post-installation script returned error exit status 1
> Errors were encountered while processing:
>  freeipa-client
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> ===
> 
> # ps auxf |grep cert
> root 11868  0.0  0.0  12772   980 pts/0    S+   13:35  
> 0:00  \_ grep cert
> root 11781  0.0  0.1  70728  5072 ?    Ss   13:31   0:00
> /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
> 
> # cat /var/log/dpkg.log
> 2018-01-04 13:31:26 startup packages configure
> 2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 
> 2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
> 2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
> 2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 
> 2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
> 2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
> 2018-01-04 13:32:03 startup packages configure
> 2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 
> 2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4
> 
> ===
> 
> From /var/lib/dpkg/info/freeipa-client.postinst I've found following log
> file - /var/log/ipaclient-upgrade.log
> And there is such messages:
> 
> Traceback (most recent call last):
>   File "", line 1, in 
>   File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31,
> in 
>     from ipalib import x509
>   File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885,
> in 
>     from ipalib import plugable
>   File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41,
> in 
>     from ipalib import errors
>   File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in
> 
>     from ipalib.text import ngettext as ungettext
>   File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
> 
>     @six.python_2_unicode_compatible
> AttributeError: 'module' object has no attribute
> 'python_2_unicode_compatible'

python-six is too old, 1.8.0 doesn't have that, 1.10.0 from stretch
(Debian 9) does.



-- 
t
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

2018-01-04 Thread Jakub Hrozek via FreeIPA-users 
On Thu, Jan 04, 2018 at 11:30:22AM +0100, Johan Vermeulen via FreeIPA-users 
wrote:
> Hello,
> 
> apologies for the late reply, due to the holidays.
> 
> I had a call from a user this morning, she had to do multiple login
> attempts and reboot several times before she could login.
> 
> Trying to follow
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> 
> I assume the general setup works, as troubles only show up when password
> expires.
> On the  users laptop:
> 
> [root@lremijsen ~]# systemctl status sssd
> ● sssd.service - System Security Services Daemon
>Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
> preset: disabled)
>   Drop-In: /etc/systemd/system/sssd.service.d
>└─journal.conf
>Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago
>   Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited,
> status=0/SUCCESS)
>  Main PID: 757 (sssd)
>CGroup: /system.slice/sssd.service
>├─757 /usr/sbin/sssd -D -f
>├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be
> --uid 0 --gid 0 --debug-to-files
>├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
>├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
> --debug-to-files
>├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
>├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
>└─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
> 
> jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> 
> In /var/log/secure there is always a clear message that the password is
> expired:
> 
> Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:auth): authentication failure; logname=
> uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen
> Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:auth): received for user lremijsen: 12
> (Authenticatietoken is niet langer geldig; nieuwe is vereist)
> Jan  4 10:06:14 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen.
> Verander nu uw wachtwoord.
> 
> sssd_pam.log only shows:
> 
> (Tue Jan  2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010):
> SIGTERM: killing children
> 
>sssd_network.cawdekempen.be.log only shows:
> 
> (Tue Jan  2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]]
> [orderly_shutdown] (0x0010): SIGTERM: killing children
> 
> I suppose I have to increase the log levels?

Yes, by default, SSSD doesn't log much. I think you would need
especially the pam and domain service debug logs.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: debian 8 freeipa-client

2018-01-04 Thread Florence Blanc-Renaud via FreeIPA-users 

On 01/04/2018 11:48 AM, Andrew Radygin via FreeIPA-users wrote:

Flo,
I've checked certmonger dbus config - it's okay and identical to another 
one working.

But after restart dbus - certmoner configured and installed successful.

Although I have another problem error now:


# apt-get install freeipa-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
freeipa-client is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up freeipa-client (4.4.4-4) ...
dpkg: error processing package freeipa-client (--configure):
  subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
  freeipa-client
E: Sub-process /usr/bin/dpkg returned an error code (1)
===

# ps auxf |grep cert
root 11868  0.0  0.0  12772   980 pts/0    S+   13:35   
0:00  \_ grep cert
root 11781  0.0  0.1  70728  5072 ?    Ss   13:31   0:00 
/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n


# cat /var/log/dpkg.log
2018-01-04 13:31:26 startup packages configure
2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 
2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 
2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
2018-01-04 13:32:03 startup packages configure
2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 
2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4

===

 From /var/lib/dpkg/info/freeipa-client.postinst I've found following 
log file - /var/log/ipaclient-upgrade.log

And there is such messages:

Traceback (most recent call last):
   File "", line 1, in 
   File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, 
in 

     from ipalib import x509
   File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, 
in 

     from ipalib import plugable
   File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, 
in 

     from ipalib import errors
   File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, 
in 

     from ipalib.text import ngettext as ungettext
   File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in 


     @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 
'python_2_unicode_compatible'




It's obviously error from this code:

#!/bin/sh
set -e

LOGFILE=/var/log/ipaclient-upgrade.log

if [ "$1" = configure ]; then
     python2 -c 'from ipapython.certdb import update_ipa_nssdb; 
update_ipa_nssdb()' \

     > $LOGFILE 2>&1
fi

=

And executing it manually:

# python2 -c 'from ipapython.certdb import update_ipa_nssdb; 
update_ipa_nssdb()'

Traceback (most recent call last):
   File "", line 1, in 
   File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, 
in 

     from ipalib import x509
   File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, 
in 

     from ipalib import plugable
   File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, 
in 

     from ipalib import errors
   File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, 
in 

     from ipalib.text import ngettext as ungettext
   File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in 


     @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 
'python_2_unicode_compatible'



Hi,

the error seems familiar, it may be linked to ticket 7299 [1]. Is 
python2 installed on your machine?


Flo.

[1] https://pagure.io/freeipa/issue/7299
2018-01-03 18:30 GMT+03:00 Lee Wiscovitch via FreeIPA-users 
>:


Doesn't really address the core issue, but wanted to chime in that
we ended up having to manually configure our Debian 8 instances to
work with our RHEL IPA servers.

We use ansible to automate the entire process, the playbook contents
below should be descriptive enough to know what is being done. We
got the config files from other RHEL IPA clients and tweaked as
necessary for platform differences (PAM was kinda tricky):

- name: apt - update base image
   apt: upgrade=dist update_cache=yes

- name: apt - install packages
   apt: name={{ item }} update_cache=yes state=latest
   with_items:
   - curl
   - krb5-user
   - libpam-ccreds
   - libpam-krb5
   - libselinux1
   - ntpdate
   - openssl
   - policycoreutils
   - sssd

- name: ntp - run ntpdate
   action: command ntpdate 10.xxx.xxx.123

-

[Freeipa-users] Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

2018-01-04 Thread David Harvey via FreeIPA-users 
Dear list,

In trying to escape from the various issues facing the ubuntu freeipa, I
attempted to make the switch to Fedora 26 (same freeipa version 4.4.4).

This seemed to go well (adding new replica first, and then replacing the
ubuntu based installs), but I notice on my fedora boxes several warnings in
/v/l/messages (pasted below).  Firstly, are these harmful, and what might I
need to rectify!? I have a half baked theory that this might relate to some
of the aspects that were broken in ubuntu and carrying their breakage
across to the new platform!

Secondly - could they relate to an issue I am seeing where one specific
LDAPS client application is failing to verify the ldap server cert (even
thought other clients are quite happy talking to it) since the ipa server
reinstall?

Advice appreciated, thank you in advance!

David




Jan  4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file
[/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
[false]
Jan  4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://ipa3.thomac.net:9080/ca/ocsp' did not find a
matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching
property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5'
did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl3Ciphers' to
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'tlsCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
property.
Jan  4 11:53:10 ipa3 server[1357]: WARNING:

[Freeipa-users] Re: debian 8 freeipa-client

2018-01-04 Thread Andrew Radygin via FreeIPA-users 
Flo,
I've checked certmonger dbus config - it's okay and identical to another
one working.
But after restart dbus - certmoner configured and installed successful.

Although I have another problem error now:


# apt-get install freeipa-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
freeipa-client is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up freeipa-client (4.4.4-4) ...
dpkg: error processing package freeipa-client (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 freeipa-client
E: Sub-process /usr/bin/dpkg returned an error code (1)
===

# ps auxf |grep cert
root 11868  0.0  0.0  12772   980 pts/0S+   13:35   0:00
\_ grep cert
root 11781  0.0  0.1  70728  5072 ?Ss   13:31   0:00
/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

# cat /var/log/dpkg.log
2018-01-04 13:31:26 startup packages configure
2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 
2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 
2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
2018-01-04 13:32:03 startup packages configure
2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 
2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4

===

>From /var/lib/dpkg/info/freeipa-client.postinst I've found following log
file - /var/log/ipaclient-upgrade.log
And there is such messages:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in

from ipalib import x509
  File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in

from ipalib import plugable
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in

from ipalib import errors
  File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in

from ipalib.text import ngettext as ungettext
  File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in

@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'



It's obviously error from this code:

#!/bin/sh
set -e

LOGFILE=/var/log/ipaclient-upgrade.log

if [ "$1" = configure ]; then
python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()' \
> $LOGFILE 2>&1
fi

=

And executing it manually:

# python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()'
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in

from ipalib import x509
  File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in

from ipalib import plugable
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in

from ipalib import errors
  File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in

from ipalib.text import ngettext as ungettext
  File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in

@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'

2018-01-03 18:30 GMT+03:00 Lee Wiscovitch via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> Doesn't really address the core issue, but wanted to chime in that we
> ended up having to manually configure our Debian 8 instances to work with
> our RHEL IPA servers.
>
> We use ansible to automate the entire process, the playbook contents below
> should be descriptive enough to know what is being done. We got the config
> files from other RHEL IPA clients and tweaked as necessary for platform
> differences (PAM was kinda tricky):
>
> - name: apt - update base image
>   apt: upgrade=dist update_cache=yes
>
> - name: apt - install packages
>   apt: name={{ item }} update_cache=yes state=latest
>   with_items:
>   - curl
>   - krb5-user
>   - libpam-ccreds
>   - libpam-krb5
>   - libselinux1
>   - ntpdate
>   - openssl
>   - policycoreutils
>   - sssd
>
> - name: ntp - run ntpdate
>   action: command ntpdate 10.xxx.xxx.123
>
> - name: kerberos - add krb5.keytab
>   copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root
> group=root mode=0600
>   notify: sssd_restart
>
> - name: sssd - add sssd.conf
>   copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root
> mode=0600
>   notify: sssd_restart
>
> - name: kerberos - create config directory
>   file: path=/etc/krb5.conf.d state=directory mode=0755
>

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

2018-01-04 Thread Johan Vermeulen via FreeIPA-users 
Hello,

apologies for the late reply, due to the holidays.

I had a call from a user this morning, she had to do multiple login
attempts and reboot several times before she could login.

Trying to follow
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

I assume the general setup works, as troubles only show up when password
expires.
On the  users laptop:

[root@lremijsen ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
   └─journal.conf
   Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago
  Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
 Main PID: 757 (sssd)
   CGroup: /system.slice/sssd.service
   ├─757 /usr/sbin/sssd -D -f
   ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be
--uid 0 --gid 0 --debug-to-files
   ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
   ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
   ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
   ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
   └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2

In /var/log/secure there is always a clear message that the password is
expired:

Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication failure; logname=
uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen
Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): received for user lremijsen: 12
(Authenticatietoken is niet langer geldig; nieuwe is vereist)
Jan  4 10:06:14 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen.
Verander nu uw wachtwoord.

sssd_pam.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010):
SIGTERM: killing children

   sssd_network.cawdekempen.be.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]]
[orderly_shutdown] (0x0010): SIGTERM: killing children

I suppose I have to increase the log levels?

Many many thanks for the help!

greetings, J.



2017-12-21 22:01 GMT+01:00 Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> This sounds like a bug, could you follow https://docs.pagure.org/SSSD.
> sssd/users/troubleshooting.html, gather logs from the pam and domain
> sections and post them here? If the password is expired, then pam_sss
> should send a message to the login manager which the login manager should
> display.
>
> The logs would at least show if the deamon is sending the message to
> pam_sss…
>
> > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Hello All,
> >
> > We run some 200 Centos7/Mate laptops, since last year they authenticate
> against freeipa.
> > Lightdm/Mate are installed using epel repo.
> >
> > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
> expired, users would get the passwd expired field, the "new password" field
> en warnings if the made a mistake.
> > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly
> wrong. Users very often get no warning if a password expired, just an
> authentication failure.
> > Or they get no message at all.
> >
> > If at that point you got to ttyand log in you do get the warnings on
> the command line.
> > The log files /var/log/secure also give clear password expired messages,
> only the user sees nothing.
> >
> > This is a big problem because users cannot login and cannot work without
> interventions.
> >
> > Many thanks for any help.
> >
> > Greetings, J.
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> ___
> FreeIPA-users