[Freeipa-users] Re: AD trust setup woes
> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users >wrote: > > It looks like my problems with AD trust on server side went away when I > upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is > only half of the way. > I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with > SLES is not fully featured as RHEL or Centos. Basic authentication is working > , but policies are not working because group membership is not available on > SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I > cannot get it to work. > In krb5_child.log I see error: > [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership > for user with principal [**] might not be correct. > When I try to enable PAC service starting of SSSD fails and I get: > [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac > --debug-to-files, reason: No such file or directory > I installed all packages related to SSSD and all dependencies. > Is PAC service necessary for group resolution? Is there any other option? Umm, how old is the sssd there? What version? > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients
> On 10 Sep 2017, at 06:18, Jochen Hein via FreeIPA-users >wrote: > > Torsten Harenberg via FreeIPA-users > writes: > >> Suddenly, our Linux Mint clients refrain from logging in users and >> throw a system error. I increased the log level and the relevant lines >> seem to be: >> >> (Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] >> [hbac_eval_user_element] (0x0040): Parse error on [ >> cn=System: Manage Host >> Principals+nsuniqueid=53120f31-41e811e7-b96dfa31-96759478,cn=permissions,cn=pbac,dc=pleiades,dc=uni-wuppertal,dc=de]: >> Malformed cache entry > > This looks like an entry created by a replication conflict. Do you use > replicas? Then I'd check for replication conflicts: > http://directory.fedoraproject.org/docs/389ds/design/managing-repl-conflict-entries.html > Correct. This should also not happen with a recent sssd version (where the replication conflicts would be just skipped, at worst you’d be denied access..) > Jochen > > -- > This space is intentionally left blank. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
It looks like my problems with AD trust on server side went away when I upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way. I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not fully featured as RHEL or Centos. Basic authentication is working , but policies are not working because group membership is not available on SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get it to work. In krb5_child.log I see error: [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [**] might not be correct. When I try to enable PAC service starting of SSSD fails and I get: [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory I installed all packages related to SSSD and all dependencies. Is PAC service necessary for group resolution? Is there any other option? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org