[Freeipa-users] Re: help - trying to get Solaris IPA client to use AD credentials

On Fri, May 19, 2017 at 11:28:30AM +, BOYD, JOEY D GG-12 USAF NASIC/SCXE wrote: > My AD credentials work fine on Linux (sssd) IPA clients but I'm not familiar > with configuring an openldap client to use AD credentials. Currently the > Solaris client can only see IPA users. start here:

[Freeipa-users] Re: Kerberos key having multiple sever entries

On Tue, Aug 15, 2017 at 10:23:25PM +, Bhavin Vaidya via FreeIPA-users wrote: > Hello, > > > We have Kerberos authentication failing on our replica server as well as > client. We are also not able to add any more client or replica server. > > > Master FreeIPA server ds01:/etc/krb5.keytab,

[Freeipa-users] Re: Fedora 26 upgrade, mkhomedir stops working

On Mon, Aug 14, 2017 at 11:05:23AM -0400, Steve Weeks via FreeIPA-users wrote: > This is what I get in sssd_pam.log: > > [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][ > ad.example.com] > [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied. > > I don't

[Freeipa-users] Re: ID view is not overriding user attributes

(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0] (Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu

[Freeipa-users] Re: Unable to login with AD users

Local; the > previous error occurs if the group is a Global or Universal one. The forest > level is Windows 2012, if that helps at all. > > David Eddleman > > From: FreeIPA User Group <freeipa-users@lists.fedorahosted.org> > Reply-To: FreeIPA User Group <freeipa-users@

[Freeipa-users] Re: Cannot get a second FreeIPA client authentication working.

On Fri, Jul 14, 2017 at 09:57:44AM +1200, Patrick McHale via FreeIPA-users wrote: > Hi, > > > > I have had a success with installing the FreeIPA system but I needed to add > another client in order to reproduce the steps required for > > building a client to authenticate with the server. I

[Freeipa-users] Re: Unable to login as user

On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via FreeIPA-users wrote: > Hi, > > I am getting an error logging into a FreeIPA server from a new FreeIPA > client. I have reset the password for the user using "kinit admin" but still > no joy. Is there another password that is

[Freeipa-users] Re: Unable to login as user

On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote: > Hi Jakub, > > Apologies for hijacking the thread but you reminded me of a longstanding > issue - I can't manually use kinit on my client nodes. As I operate a jump > server that means I get a ticket on first login but

[Freeipa-users] Re: sssd went away, failed to restart

happened again (using sssd 1.15.0). At 18.21 sssd became unavailable. See > below > > On Wed, 24 Feb 2016 09:24:47 +0100 > Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > > > Do you think this is OK? Did it try to terminate the unresponsive > > &g

[Freeipa-users] Re: Two way trust problem

On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote: > Looks like I got the rootDSE, 109 lines of information and got the > following at the end. I don't know much about ldap so I'm guessing this > was successful Yes, so the trust indeed works. >. And, yes I did get a

[Freeipa-users] Announcing SSSD 1.15.3

's no timestamp cache present * SYSDB: Internally expose sysdb_search_ts_matches() * SYSDB: Make the usage of the filter more generic for search_ts_matches() * SYSDB_OPS: Mark an entry as expired also in the timestamp cache * SYSDB_OPS: Invalidate a cache entry also in the ts_cache

[Freeipa-users] Re: diskless workstations in an IPA domain

d being called despite selinux_provider=none) > > Hope this helps... > Jacquelin > > Le 14/10/2016 à 10:02, Jakub Hrozek a écrit : > > On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote: > > > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Char

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via FreeIPA-users wrote: > I uploaded krb5_child.log and ldap_child.log to > https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD I think the child just times out during TGT validation, see: (Thu Jul 27 06:01:20 2017)

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

On Thu, Jul 27, 2017 at 02:19:38PM +, pgb205 via FreeIPA-users wrote: > Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy > krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records. > Can you also please comment on why I'm only getting lookups on the

[Freeipa-users] Re: AD trust setup woes

On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote: > On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users &g

[Freeipa-users] Re: AD trust setup woes

On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote: > I have been trying to reliably get an AD trust setup for a few weeks and no > matter what I try, when I goto add AD users to an external group in > FreeIPA, I get: > > "trusted domain object not found" > > Googling

[Freeipa-users] Re: Two way trust problem

On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote: > We've setup a two-way trust with AD and it seems to have worked, but it > doesn't look like it is working correctly. > > The kerberos commands (kinit and kvno) work fine, but things like 'id >

[Freeipa-users] Re: AD trust setup woes

On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > wrote: >

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

On Wed, Jun 28, 2017 at 01:03:45PM -0400, Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > > I have a set of servers that CANNOT become enrolled IDM clients due to a > vendor refusing to support this type of config. > > This server fleet is directly bound to an AD system via the

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

On Thu, Jun 29, 2017 at 08:41:25AM -0400, Chris Dagdigian wrote: > Jakub Hrozek via FreeIPA-users wrote: > > If not, have you considered pointing the clients towards the compat tree > > and using a plain LDAP setup, if your vendor supports that? > > > Appreciate the r

[Freeipa-users] Re: SUDO Rules not getting processed

On Fri, Aug 04, 2017 at 09:05:20AM -0300, Felipe Barreto Volpone via FreeIPA-users wrote: > Hi Alka, > > I think you can get useful info here: https://www.redhat.com/ > archives/freeipa-users/2017-May/msg00028.html Also this might be useful to pinpoint the issue:

[Freeipa-users] Re: AD trust setup woes

On Tue, Aug 01, 2017 at 11:20:16AM -, Igor Sever via FreeIPA-users wrote: > I have the same error. > I established two-way trust with AD which went fine. > Authentication with Kerberos to AD is working. > Since I have one test FreeIPA which is working correctly (relatively) I > compared logs

[Freeipa-users] Re: Show AD groups members from command line

> On 9 Aug 2017, at 17:21, Steve Weeks via FreeIPA-users > wrote: > > I can use 'id ad_user@ad_domain' command to see what groups an ad_user is a > member of. > > Is there a way from the Linux command line to see who are the member of >

[Freeipa-users] Re: Unable to login with AD users

> On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users > wrote: > > Hello, > > I have created a FreeIPA solution using Red Hat’s IDM product. > FreeIPA version: 4.5.0 > OS version: RHEL 7.4 > > I have successfully installed the server portion and

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

gt; and ipa.ad.com <http://ipa.ad.com/>? > > ad.com <http://ad.com/> is my Active Directory domain. > domain.ad.com <http://domain.ad.com/> is a sub domain that was delegated from > the AD DNS to the freeipa servers > ipa.ad.com <http://ipa.ad.com/> is also

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 14:37, Supratik Goswami via FreeIPA-users > wrote: > > Can someone please help me to figure out the issue? > > Please let me know if any other information is required > Describing how you set up the idview and providing SSSD logs is

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 16:02, Supratik Goswami via FreeIPA-users > wrote: > > (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp. > example .com > ]]] [acctinfo_callback]

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

in -w Passw0rd! --enable-dns-updates --mkhomedir > --domain=domain.ad.com <http://domain.ad.com/> --realm=IPA.AD.COM > <http://ipa.ad.com/> --server=ipaserver01.ipa.ad.com > <http://ipaserver01.ipa.ad.com/> --server=ipaserver02.ipa.ad.com > <http://ipas

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

com > <http://ipa.corp.example.com/>]]] [sbus_dispatch] (0x4000): Dispatching. > > This means sssd is idle and just receiving heartbeat pings from the monitor, did you attempt the login? Btw the messages look like the debug logs, not the strace.. > On Mon, Aug 7, 2017 at 1:52

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

rust principal. Are you sure all your replicas are either trust agents or you ran “ipa-adtrust-install” on them? > > > Any thoughts ? > > Thanks, > Alex > > > On Tue, Aug 1, 2017 at 2:58 AM, Jakub Hrozek <jhro...@redhat.com > <mailto:jhro...@redhat.com>>

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

096 Aug 7 05:46 /tmp > > On Mon, Aug 7, 2017 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com > <mailto:jhro...@redhat.com>> wrote: > > > On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org > > <mail

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

> On 7 Aug 2017, at 07:01, Sameer Gurung via FreeIPA-users > wrote: > > Hi All, > > I have a network consisting of both windows and linux clients running windows > server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows > clients

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

@ipa.ad.com not found in Kerberos database)] Is your client hostname in the AD domain (centos.domain.ad.com <http://centos.domain.ad.com/>) or in the IPA domain (ipa.ad.com <http://ipa.ad.com/>) ? > Thanks, > Alex > > > > > > > > > O

[Freeipa-users] Re: Why "w" does not list AD users

On Fri, Aug 18, 2017 at 03:09:05PM +0530, Supratik Goswami wrote: > > > > What do you mean by user ID? The numeric UID? How do you invoke ps? > > > Yes, numeric UID. When I type "ps aux" I get the following output > > 1759001108 2375 0.0 0.4 146900 4084 ?S08:55 0:00 sshd: >

[Freeipa-users] Re: AD-Trust users not known

On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > for testing i've installed an FreeIPA-Server with a trust to an > AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com', > on IdM member client not. > > AD-Domain is Server 2012R2 as

[Freeipa-users] Re: Why "w" does not list AD users

e_timeout = 60 > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > On Fri, Aug 18, 2017 at 7:28 PM, Supratik Goswami <supratiksek...@gmail.com> > wrote: > > > > > > > On Fri, Aug 18, 2017 at 7:20 PM, Jakub Hroz

[Freeipa-users] Re: annoying messages systemd: pam_sss(systemd-user:account): Access denied for user (Permission denied)

On Fri, Aug 18, 2017 at 03:44:17PM +0200, Kees Bakker via FreeIPA-users wrote: > Hi, > > This is on Ubuntu 16.04 systems configured as FreeIPA clients. Logging in > through ssh > is successful. But in /var/log/auth.log there are annoying messages like this: > > Aug 18 15:38:02 client1

[Freeipa-users] Re: Why "w" does not list AD users

On Fri, Aug 18, 2017 at 07:13:13PM +0530, Supratik Goswami via FreeIPA-users wrote: > When executed in the server I get the below logs > > (Fri Aug 18 08:18:26 2017) [sssd[nss]] [orderly_shutdown] (0x0010): > SIGTERM: killing children > (Fri Aug 18 08:20:04 2017) [sssd[nss]] [orderly_shutdown]

[Freeipa-users] Re: Why "w" does not list AD users

call "sss_cache -E" on both the client and server,then do: getent passwd 1759001108 and attach the logs from the client (complete) and the server (NSS log is enough) ? > > > > On Fri, Aug 18, 2017 at 3:22 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > &

[Freeipa-users] Re: Compat tree question

On Tue, May 30, 2017 at 09:27:05PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: > > So I took a brand new user that I have never used in the system before (I > > checked that the entry was not in the compat tree) and just ran an

[Freeipa-users] Re: ipa-client-install combined with 'authconfig --enablenis --update'

On Wed, May 31, 2017 at 08:56:44PM -, paul--- via FreeIPA-users wrote: > Hi Jakub, > Thanks for clearing this out and pointing out ypbind is the wrong direction. > What do you mean with 'the workaround'? Do mean use of 'authconfig > --enablenis --update'? > The combination of Centos 7.3 with

[Freeipa-users] Re: Get rid of manually calling kinit with SSSD

On Wed, May 31, 2017 at 02:36:58PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote: > > On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > > > Hi, > > > > > > I read Jakub Hrozeks post > > >

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 04:28:13AM -, john.bowman--- via FreeIPA-users wrote: > After upping the log levels on sssd on one of the failing servers I saw this > in one of the sssd log files: > > from sssd_pamd.log: > > (Wed Jun 14 23:16:05 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 01:07:27PM -, john.bowman--- via FreeIPA-users wrote: > You'll have to forgive my ignorance here since I'm still fairly new to IPA > and fortunately haven't run in to many issues as of yet. > > The three IPA 3.0 servers all have what look to be following conflicts:

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 05:15:41PM -, john.bowman--- via FreeIPA-users wrote: > Which path would be better? Upgrading sssd on the older machines or > attempting to delete the ldap entries? I think you want to fix the server side, upgrading sssd is just a quick kludge to let you access

[Freeipa-users] Re: Solaris client proxyDN logins not working

On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote: > Louis Abel via FreeIPA-users wrote: > > I should probably mention that IPA users have started working. But not my > > AD users. > > > > [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q > > Password:

[Freeipa-users] Re: Solaris client proxyDN logins not working

> On 15 Sep 2017, at 01:25, Louis Abel via FreeIPA-users > wrote: > > Thank you for pointing that out. I've put sssd into debug to see what I can > find. Is there anything specific I should look for in the logs? Or is there > anything specific I can put

[Freeipa-users] Re: Can't log on using password when /tmp is full

On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote: > Hi, > > When /tmp is full, it is impossible to authenticate with Kerberos. Login with > password over SSH and sudo don't work. Login with ssh key works fine. Here is > the output in the system log when I try

[Freeipa-users] Re: Can't log on using password when /tmp is full

On Tue, Sep 19, 2017 at 04:25:21PM -0400, Simo Sorce wrote: > On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users > wrote: > > On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via > > FreeIPA-users wrote: > > > Hi, > > > >

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: > > On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: > > > Hi Mark, > > > > > > Not all CentOS releases are created equal.

[Freeipa-users] Re: Solaris client proxyDN logins not working

On Thu, Sep 14, 2017 at 06:28:50PM -, Louis Abel via FreeIPA-users wrote: > Jakub, you might be onto something. > > Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): > authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= >

[Freeipa-users] Re: Proxmox pam authentication

On Thu, Sep 07, 2017 at 11:02:50AM +0200, Maciej Drobniuch via FreeIPA-users wrote: > Hey Freeipa users! > > Proxmox supports pam logins from webui and it is debian based. > > I've used the following guide to install freeipa unofficial packages. >

[Freeipa-users] Re: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i

On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote: > Thank you, for your answer. > > How can i avoid this mixing of packages? > > Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-( > > What can i do to only install 7.2 and the patches for 7.2

[Freeipa-users] Re: AD trust setup woes

> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users > wrote: > > It looks like my problems with AD trust on server side went away when I > upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is > only half of the way. > I have

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

> On 10 Sep 2017, at 06:18, Jochen Hein via FreeIPA-users > wrote: > > Torsten Harenberg via FreeIPA-users > writes: > >> Suddenly, our Linux Mint clients refrain from logging in users and >> throw a system error. I

[Freeipa-users] Re: freeipa sudo expiration

On Fri, Sep 01, 2017 at 03:02:34PM -0600, Scott Lucas via FreeIPA-users wrote: > Hi, > > I have a global password policy set for unlimited on expiration date, > however a user who has no issues logging in as himself, got a password > expiration notice when he recently used sudo. I can't seem to

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

the three machines that is working properly for password > authentication through the web UI I'm reluctant to do so) > > On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > On Tue, Sep 05, 2017 at 02:12:57PM -0400,

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

On Tue, Sep 05, 2017 at 02:48:59PM -0400, Steve Huston via FreeIPA-users wrote: > On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > - is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? > >

[Freeipa-users] Re: Radius authentication trouble

On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote: > We are running FreeIPA 4.4 on Centos 7 and trying to use radius > authentication. > > Using radtest and radclient work fine and we can authenticate a user. > > The radius proxy and secret are set to match the values

[Freeipa-users] Re: FreeIPA failover not working

_lookup_kdc = true rdns = > false ticket_lifetime = 24h forwardable = yes default_ccache_name = > KEYRING:persistent:%{uid} [realms] IPA.EXAMPLE.COM = { pkinit_anchors = > FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.example.com = IPA.EXAMPLE.COM > ipa.example.com = IPA.EXAMPLE.COM | > > R

[Freeipa-users] Re: Centos/Redhat 7.4

On Thu, Aug 24, 2017 at 08:18:42AM -0600, Kristian Petersen via FreeIPA-users wrote: > If you are using Samba with FreeIPA, you may want to wait to upgrade to > 7.4. There is a bug in a library that comes with sssd that will break it > for you. RedHat is recommending to wait for now. The only

[Freeipa-users] Re: FreeIPA failover not working

On Wed, Aug 23, 2017 at 05:13:13PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > we are testing a FreeIPA trust to an Active Directory. Trust itself > works, we are happy. Now we tested a failure on FreeIPA site. We have > two instances, both with same roles. If we poweroff first

[Freeipa-users] Re: cross-forest trust, client system cannot id AD users.

On Tue, Oct 17, 2017 at 02:21:07PM -0700, Steve Dainard via FreeIPA-users wrote: > Hello, > > I've installed a 60 day 'self supported' trial of red hat idm on rhel7. > I've created a cross-forest trust with an AD domain (2012R2) which already > has posix attributes in ldap for users and groups. >

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote: > Hello everyone, > > I’m new to this and are trying to setup a working trust against an AD > forrest, I seem to have a working trust but when I try to reference external > groups (or users) I get: > > # ipa

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

cifs/adserver.ad2.test@ad2.test.net: kvno = 13 > > >> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org> wrote: >> >> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users >>

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote: > On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: > > > > > > > On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users > > > wrote: > > > > > > On ma, 11 joulu 2017,

[Freeipa-users] Re: How to deal with 'su root'

On Tue, Dec 19, 2017 at 11:54:12AM +0100, Ronald Wimmer via FreeIPA-users wrote: > We have some users that have ALL sudo permissions. What is the best way of > keeping track of all actions they do after having switched to the root user? > Or would it be better to completely prevent switching to

[Freeipa-users] Re: Freeipa connecting to Redhat IPA server.

On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote: > I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 > LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD > server. > > Ssh authentications are pretty slow, however, once I

[Freeipa-users] Re: User login is slow to get password prompt

On Mon, Dec 18, 2017 at 06:59:25PM -0500, Alexandre Pitre via FreeIPA-users wrote: > Hi, > > While troubleshooting "slow login" with ipa users we discovered that adding > these two lines to our clients sssd.conf file fixed our issue for ipa users. > > ldap_search_base =

[Freeipa-users] Re: Invalid ticket for NFS4 mount

On Tue, Nov 21, 2017 at 08:36:16AM +0100, Ray via FreeIPA-users wrote: > Hi, > > yesterday I noticed a strange issue on a Centos 7 client running > ipa-client-4.5.0-21.el7.centos.2.2.x86_64: > > My daughter tried to log in to the machine and was kicked out again after > GNOME failed to load

[Freeipa-users] Re: Unexpected ipa usa behaviour

On Tue, Nov 21, 2017 at 09:05:29AM +0100, Ronald Wimmer via FreeIPA-users wrote: > Hi, > > in IPA I defined a user called isomeuser. This username does definitely not > exist on the AD side. > > When I log in as root to an IPA client and issue the su command, I am > isomeuser@ad.domain. If I do

[Freeipa-users] Re: ldap cache

On Wed, Nov 08, 2017 at 03:52:57PM +, Andrew Meyer via FreeIPA-users wrote: > Let's say I have a user that starts today and I forgot to add their > username to FreeIPA.  I add their username and they need to start working > fairly quickly.  I know that I can clear the sudo cache on each server

[Freeipa-users] Re: User login is slow to get password prompt

On Tue, Dec 19, 2017 at 04:11:04PM -0500, Alexandre Pitre wrote: > Hi Jakub, > > Thanks for your response. I assume our puppet configuration was incomplete > and ldap_search_base = cn=accounts,dc=ipa,dc=domain,dc=com was left out by > mistake. We're already using the trusted domain section to

[Freeipa-users] Re: Setting up HBAC for external users

> On 19 May 2018, at 19:53, Marc Boorshtein via FreeIPA-users > wrote: > > I'm trying to setup an HBAC rule for allowing users from a trust to > access linux servers in a FreeIPA domain. My setup: > > 1. rhelent.lan - FreeIPA 4.5.0-22 > 2.

[Freeipa-users] Announcing SSSD 1.16.2

old object instead of merging it * tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

On Thu, Jun 07, 2018 at 03:48:16PM -, Bart via FreeIPA-users wrote: > Thank you Alexander, that was the root cause. I added optimizations to my > setup that you together with Jakub described in this article: >

[Freeipa-users] Re: double domain?

On Thu, Jun 07, 2018 at 12:33:56PM -0500, Kat via FreeIPA-users wrote: > hi > > Where would be a good place to look in either sssd or somewhere in the > system if we are seeing a mixture of UserID lookups in this format: > > usern...@domain.example.com  <--- this makes sense > > BUT - also

[Freeipa-users] Re: Logon by ssh but not console?

> On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users > wrote: > > I just realized that I never closed the loop on this problem and just > finished upgrading all my systems to use our new IPA servers. And this > problem is still with me. > > I can log onto some workstations but not

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

On Tue, Jun 05, 2018 at 03:06:44PM -, Bart via FreeIPA-users wrote: > Hi all, > > I've set up two FreeIPA servers without CA (I provided 3rd party certificates > during the installation process). I also established trust to an AD domain as > below: > > ipa trust-add --type=ad AD.DOMAIN

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

On Wed, Jun 06, 2018 at 02:30:56PM -, Bart via FreeIPA-users wrote: > Hi Jakub, thank you for help. > > I cannot resolve all of the users nor their groups on a client hosts. getent > passwd doesn't return anything, su - user@ad.domain doesn't work either. > > All AD users I tried get

[Freeipa-users] Re: performance tuning IPA 4.5 and SSD for large AD integration

> On 29 Jun 2018, at 16:12, Chris Dagdigian via FreeIPA-users > wrote: > > At long last I've got a brand new IPA cluster running in our AWS footprint > with a modern v4.5.4 install and a proper AD Trust in place to a complex > domain forest > > In my older cluster I made use of a lot of

[Freeipa-users] Re: Any non-root user (ipa) can su / su - to root, when the su/su-i service(s) are not enabled

> On 26 Apr 2018, at 18:29, Morgan Cox via FreeIPA-users > wrote: > > Hi. > > I have a test freeipa server setup. > > It is generally working fine, however I have found one major issue. > > Even though a user only has 1 service enabled 'sshd' that user

[Freeipa-users] Re: cross-forest trust, client system cannot id AD users.

only. > > Thanks, > Steve > > On Thu, Oct 19, 2017 at 11:37 AM, Justin Stephenson via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On 10/19/2017 02:14 PM, Jakub Hrozek via FreeIPA-users wrote: > > > >> On Tue, Oct 17, 2017 at 02:21:

[Freeipa-users] Announcing SSSD 1.16.0

ssctl_attr_fn functions * TESTS: Fix "-Wshadow" caught by GCC * RESPONDER: Fix "-Wold-style-definition" caught by GCC * PAM: Avoid overwriting pam_status in _lookup_by_cert_done() * DP: Fix the output type used in dp_req_recv_ptr() * DP: Log to syslo

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote: > Hello Jakub, > > thanks for helping me out. > > It works in the console. when an expired user logs in via ctl-alt-f he > gets all the warnings. OK, then the warnings are even passed to lightdm.. Is there any chance lightdm

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

On Thu, Jan 04, 2018 at 02:49:59PM -0700, Cody Rathgeber via FreeIPA-users wrote: > Thanks, > > Here's what I get in the sssd nss log with debug level set to 6; > > (Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > > (Thu Jan 4

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote: > Hello All, > > I "ve set up a new machine for this test and increased the log levels to 6. > Config for Freeipa-client is done with ipa-client-install, I use chrony in > stead of ntp and Selinux is enabled. > > When user logs in

[Freeipa-users] Re: setting sudo rule for root

On Mon, Jan 15, 2018 at 07:38:00AM -0600, Kat via FreeIPA-users wrote: > Trying to setup a sudo rule for a small group of users to have "sudo su -" > on all hosts, and then use !authenticate, but can't seem to make it work. > Any docs on doing this? I can only provide the client-side

[Freeipa-users] Re: HBAC Lookups by host rather than user/group

On Fri, Jan 12, 2018 at 05:30:27PM -, Louis Abel via FreeIPA-users wrote: > Hello. > > I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as > a whole or if someone has created scripts or the like that perform access > rights lookups without doing the typical hbac

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

On Mon, Jan 15, 2018 at 09:12:01AM +0100, Johan Vermeulen wrote: > Jakub, > > it could be that lightdm now only display EM. But on Centos7.3 everything > worked. > I tested further and with the same setup but with GDM this works. I get > passwd expired and other messages. > > Before posting on

[Freeipa-users] Re: help : Enrolled a FreeIPA client but unable to login to it via SSH

On Fri, Jan 12, 2018 at 11:07:11AM -0500, Robbie Harwood via FreeIPA-users wrote: > Aravindh Sampathkumar via FreeIPA-users > writes: > > > localmachine > ssh admin@c10b01 > > > > It keeps repeating the password prompts in spite of supplying the > >

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: > On 1/31/2018 12:21 PM, TomK wrote: > > On 1/31/2018 9:41 AM, Jakub Hrozek wrote: > > > See inline.. > > > > > > On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: > > > &

[Freeipa-users] Re: local group membership for freeipa user

On Sat, Feb 03, 2018 at 08:33:19PM -0500, John Ratliff via FreeIPA-users wrote: > I want my administrators to be part of the systemd-journal group so they can > run journalctl. How can I make a group part of a local system group like > this inside ipa so I don't have to add them to every group on

[Freeipa-users] Re: seeking advice, especially from universities....

On Tue, Feb 06, 2018 at 10:56:24AM -0600, Amos via FreeIPA-users wrote: > 3. So that the UID/GID do not change across campus, do you recommend > populating the POSIX attributes in AD, and promoting those values to the > global catalog, then configure RH-IdM to use those POSIX values from AD? >

[Freeipa-users] Re: seeking advice, especially from universities....

On Tue, Feb 06, 2018 at 02:30:00PM -0600, Amos wrote: > On Tue, Feb 6, 2018 at 2:16 PM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > If you don't want to bother with the POSIX attributes on the AD side, > > you

[Freeipa-users] Re: IPA users and local groups question

> On 13 Feb 2018, at 21:04, Jeff Goddard via FreeIPA-users > wrote: > > First off thanks to everyone who makes FreeIPA. Its an awesome product that > we love. > > We're working at breaking our application up into micro services and using > docker

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

This sounds like a bug, could you follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, gather logs from the pam and domain sections and post them here? If the password is expired, then pam_sss should send a message to the login manager which the login manager should display.

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

On Thu, Jan 04, 2018 at 11:30:22AM +0100, Johan Vermeulen via FreeIPA-users wrote: > Hello, > > apologies for the late reply, due to the holidays. > > I had a call from a user this morning, she had to do multiple login > attempts and reboot several times before she could login. > > Trying to

[Freeipa-users] Re: External AD Trust: Cannot get users/groups from AD

On Fri, Jul 27, 2018 at 12:53:33PM +0200, Rene Trippen wrote: > > > I can provide you tons of logs, but I don´t know where to start. > > > > Logs from sssd on the ipa master are usually a good point to start, see > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > > Thank you,

[Freeipa-users] Re: AD and IPA integration

gt; Here logs after attempt autentication via ssh. > > Also config files, > > >> 23.07.2018, 14:49, "Jakub Hrozek" : > > -- > С уважением, Николай. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahos

  1   2   >