[Freeipa-users] selinux issues
Hi all - So this is something I found and wanted to post it to the team - this is for RHEL and/or CentOS 7.3 thru 5 so far. It has to do with selinux_provider and having to explicitly disable it in sssd or things will randomly fail. On heavily loaded clients, (and a fair load on IPA cluster) you find that even if a client has selinux disabled (sometimes because of application requirements) that ssh access is still randomly denied because of selinux failures. You need to explicitly add selinux_provider=none to sssd.conf to avoid seeing these: sshd[58319]: fatal: Access denied for user by PAM account configuration [preauth] sshd[58319]: pam_sss(sshd:account): Access denied for user : 4 (System error) If you look in detail you find that the authentication actually works but when it is sent back to the client, there are random failures for the same username from time to time. It all seems to be load related, as I have been unable to find a root cause. An example is that I have a looping ssh job to just login, create a folder and exit - all via ssh keys. If you run that for a few hours with a few seconds interval, you find that out of 1000+ successes, you might see 20-30 random "Access Denied". This was confusing at first because sshd only returns that the authentication failed without any details (return code is 255) but looking in detailed logs finds the random errors as show above. This all connects back with the errors I reported last week regarding the same thing and that I felt it was related to DNS and other settings - it was not. Hope this helps someone else.. -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VLFNIFEU2PHYWCGCVGVB2NZFIPZJ54YK/
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Thanks a lot for your information! You saved me a lot of time... Best regards Michal ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/B3X23TLXNOQUG5KBBPYS7FSG7AUPVTUH/
[Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote: Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations. IPA domain would be used as a primary source of users and groups. AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domain and realized, that IPA domain sees AD users but AD domain doesn't see IPA users. Am I missing something or the two-way trust is not two-way in fact? It is two-way in principle. However, FreeIPA does not implement features required by AD DC to resolve IPA users on Windows workstations. It is on our long term roadmap. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/
[Freeipa-users] Is IPA-AD two-way trust really two-way?
Hello, I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations. IPA domain would be used as a primary source of users and groups. AD domain would be used for management of Widows hosts only (group policies etc.). I have setup a test network with two-trust between AD and IPA domain and realized, that IPA domain sees AD users but AD domain doesn't see IPA users. Am I missing something or the two-way trust is not two-way in fact? SW used: CentOS 7.5 - IPA server and IPA domain member Windows Server 2016 Standard - AD server Windows 10 Pro - AD domain member Best regards Michal ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BNANT26LXWEKUQCTDLCOBLD7ZGM22UZI/
