[Freeipa-users] Re: AD trust setup woes

[Jakub Hrozek via FreeIPA-users]

> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users 
>  wrote:
> 
> It looks like my problems with AD trust on server side went away when I 
> upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is 
> only half of the way. 
> I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with 
> SLES is not fully featured as RHEL or Centos. Basic authentication is working 
> , but policies are not working because group membership is not available on 
> SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I 
> cannot get it to work.
> In krb5_child.log I see error: 
> [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership 
> for user with principal [**] might not be correct.
> When I try to enable PAC service starting of SSSD fails and I get:
> [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac 
> --debug-to-files, reason: No such file or directory
> I installed all packages related to SSSD and all dependencies.
> Is PAC service necessary for group resolution? Is there any other option?

Umm, how old is the sssd there? What version?

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

[Jakub Hrozek via FreeIPA-users]

> On 10 Sep 2017, at 06:18, Jochen Hein via FreeIPA-users 
>  wrote:
> 
> Torsten Harenberg via FreeIPA-users
>  writes:
> 
>> Suddenly, our Linux Mint clients refrain from logging in users and
>> throw a system error. I increased the log level and the relevant lines
>> seem to be:
>> 
>> (Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] 
>> [hbac_eval_user_element] (0x0040): Parse error on [
>> cn=System: Manage Host
>> Principals+nsuniqueid=53120f31-41e811e7-b96dfa31-96759478,cn=permissions,cn=pbac,dc=pleiades,dc=uni-wuppertal,dc=de]:
>> Malformed cache entry
> 
> This looks like an entry created by a replication conflict. Do you use
> replicas? Then I'd check for replication conflicts:
> http://directory.fedoraproject.org/docs/389ds/design/managing-repl-conflict-entries.html
> 

Correct.

This should also not happen with a recent sssd version (where the replication 
conflicts would be just skipped, at worst you’d be denied access..)

> Jochen
> 
> -- 
> This space is intentionally left blank.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AD trust setup woes

[Igor Sever via FreeIPA-users]

It looks like my problems with AD trust on server side went away when I 
upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is 
only half of the way. 
I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with 
SLES is not fully featured as RHEL or Centos. Basic authentication is working , 
but policies are not working because group membership is not available on SLES 
SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get 
it to work.
In krb5_child.log I see error: 
[validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for 
user with principal [**] might not be correct.
When I try to enable PAC service starting of SSSD fails and I get:
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac 
--debug-to-files, reason: No such file or directory
I installed all packages related to SSSD and all dependencies.
Is PAC service necessary for group resolution? Is there any other option?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org