[Freeipa-users] Re: Non-caching ipa-clients

2021-05-18 Thread Dominik Vogt via FreeIPA-users
On Tue, May 18, 2021 at 03:06:39PM +0200, Sumit Bose via FreeIPA-users wrote: > Am Tue, May 18, 2021 at 11:44:57AM +0100 schrieb Dominik Vogt via > FreeIPA-users: > > Using freeipa from RHEL8.1, we need to set up the ipa-clients in a > > way that login is only possible if the ipa-server can be >

[Freeipa-users] Changing directory manager password

2021-05-18 Thread Ian Pilcher via FreeIPA-users
Maybe it's just me, but I still find the documentation on this subject confusing. (This is probably because the docs seem to be telling me that I don't need to do anything beyond the actual password change, and I don't trust answers that seem too easy.) I running a single-node IPA 4.6.8 on RHEL

[Freeipa-users] Changing directory manager password

2021-05-18 Thread Ian Pilcher via FreeIPA-users
Maybe it's just me, but I still find the documentation on this subject confusing. (This is probably because the docs seem to be telling me that I don't need to do anything beyond the actual password change, and I don't trust answers that seem too easy.) I running a single-node IPA 4.6.8 on RHEL

[Freeipa-users] Re: sudorule not working for external user

2021-05-18 Thread Sam Morris via FreeIPA-users
Aha, might be getting somewhere. See which explains that you have to configure a 'files' (or with older sssd, a 'proxy') domain in sssd.conf in order for external users to work. This is a bit of a pain, since the additional configuration has to be

[Freeipa-users] Re: sudorule not working for external user

2021-05-18 Thread Sam Morris via FreeIPA-users
Can you check the sudo rule that sssd cached? Something like: # ldbsearch -H /var/lib/sss/db/cache_ipa.example.com.ldb -s base -b name=test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb If you can't find it, you can dump all sudo rules with: # ldbsearch -H

[Freeipa-users] Re: Non-caching ipa-clients

2021-05-18 Thread Sumit Bose via FreeIPA-users
Am Tue, May 18, 2021 at 11:44:57AM +0100 schrieb Dominik Vogt via FreeIPA-users: > Using freeipa from RHEL8.1, we need to set up the ipa-clients in a > way that login is only possible if the ipa-server can be > contacted. Local logi from the cache must be impossible. Is > there a way to achieve

[Freeipa-users] Non-caching ipa-clients

2021-05-18 Thread Dominik Vogt via FreeIPA-users
Using freeipa from RHEL8.1, we need to set up the ipa-clients in a way that login is only possible if the ipa-server can be contacted. Local logi from the cache must be impossible. Is there a way to achieve this? Ciao Dominik ^_^ ^_^ -- Dominik Vogt