[Freeipa-users] Re: [Freeipa-users]SSH Key replication time/issues

On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote: > Looks like this is applied immediately, but required a service sssd restart; > sss_cache -E This shouldn't be the case, can you describe step-by-step what exactly are you doing, what are the unexpected results and what do

[Freeipa-users] Re: Compat tree question

On Tue, May 30, 2017 at 09:27:05PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: > > So I took a brand new user that I have never used in the system before (I > > checked that the entry was not in the compat tree) and just ran an

[Freeipa-users] Re: ipa-client-install combined with 'authconfig --enablenis --update'

On Wed, May 31, 2017 at 10:18:46AM -, paul--- via FreeIPA-users wrote: > Hi, > I have boot problem when i combine a ipa-client-install with 'authconfig > --enablenis --update' > According to the ovirt/RHEV docs [1] I have to do this to make SSO to the VM > possible. > > Messages during boot

[Freeipa-users] Re: Get rid of manually calling kinit with SSSD

On Wed, May 31, 2017 at 02:36:58PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote: > > On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > > > Hi, > > > > > > I read Jakub Hrozeks post > > > https://jhroz

[Freeipa-users] Re: ipa-client-install combined with 'authconfig --enablenis --update'

On Wed, May 31, 2017 at 08:56:44PM -, paul--- via FreeIPA-users wrote: > Hi Jakub, > Thanks for clearing this out and pointing out ypbind is the wrong direction. > What do you mean with 'the workaround'? Do mean use of 'authconfig > --enablenis --update'? > The combination of Centos 7.3 with i

[Freeipa-users] Re: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues

On Wed, May 31, 2017 at 10:32:32AM -0400, Jake via FreeIPA-users wrote: > Jakub/Sumit, > > I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my > primary concern. In my recent tests I changed the key listed on the local > upstream server from the server line in /etc/ipa/de

[Freeipa-users] Re: Scripting a SSSD client to add SID to UIDnumbers from ad Trust into custom LDAP schema.

On Fri, Jun 02, 2017 at 02:05:34PM -0600, Frank Rey via FreeIPA-users wrote: > I have a Netapp that does not support SSSD or Windbind and i want to use > IDM ldap to do permission/name mapping. I'm not sure I understand the problem, is the issue that the netapp only supports plain LDAP? Would it

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 04:28:13AM -, john.bowman--- via FreeIPA-users wrote: > After upping the log levels on sssd on one of the failing servers I saw this > in one of the sssd log files: > > from sssd_pamd.log: > > (Wed Jun 14 23:16:05 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): >

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 01:07:27PM -, john.bowman--- via FreeIPA-users wrote: > You'll have to forgive my ignorance here since I'm still fairly new to IPA > and fortunately haven't run in to many issues as of yet. > > The three IPA 3.0 servers all have what look to be following conflicts: >

[Freeipa-users] Re: Access issues with SSH/IPA

On Thu, Jun 15, 2017 at 05:15:41PM -, john.bowman--- via FreeIPA-users wrote: > Which path would be better? Upgrading sssd on the older machines or > attempting to delete the ldap entries? I think you want to fix the server side, upgrading sssd is just a quick kludge to let you access th

[Freeipa-users] Re: (no subject)

On Wed, Jun 28, 2017 at 07:04:58AM -0700, Sean Hogan via FreeIPA-users wrote: > > Hi All, > > We are having an issue performing RHEL 6.6 to 6.7 upgrade with SSSD. The > systems are already enrolled and working in IPA 3.0.0-50 using 6.6 client. > We yum update and sssd gives this >

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

On Wed, Jun 28, 2017 at 01:03:45PM -0400, Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > > I have a set of servers that CANNOT become enrolled IDM clients due to a > vendor refusing to support this type of config. > > This server fleet is directly bound to an AD system via the standar

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

On Thu, Jun 29, 2017 at 08:41:25AM -0400, Chris Dagdigian wrote: > Jakub Hrozek via FreeIPA-users wrote: > > If not, have you considered pointing the clients towards the compat tree > > and using a plain LDAP setup, if your vendor supports that? > > > Appreciate the r

[Freeipa-users] Re: [SSSD-users] Re: 1.15.3/1.16 release timeframe?

On Tue, Jul 04, 2017 at 12:38:46AM +0300, Timo Aaltonen wrote: > On 31.05.2017 10:53, Jakub Hrozek wrote: > > On Wed, May 31, 2017 at 08:19:56AM +1000, Lachlan Musicman wrote: > >> Hi all, > >> > >> I noticed a while ago that 1.15.3 was versioned in the

[Freeipa-users] Re: sssd providing dns cache?

On Fri, Jul 07, 2017 at 10:47:44AM +0200, Harald Dunkel via FreeIPA-users wrote: > On Fri, 7 Jul 2017 08:27:53 + > "wouter.hummelink--- via FreeIPA-users" > wrote: > > > No, > > > > I would suggest to add it. Well, we are considering adding support for the hosts map in the next version,

[Freeipa-users] Re: krb won't failover to alternative servers

On Mon, Jul 10, 2017 at 02:10:48PM +, pgb205 via FreeIPA-users wrote: > > > > we have 4 servers for redundancy in krb5.confkdc= server1kdc= server2kdc= > server3kdc= > server4master_kdc=server1master_kdc=server2master_kdc=server3master_kdc=server4admin_server=server1admin_server=server2adm

[Freeipa-users] Re: sssd went away, failed to restart

happened again (using sssd 1.15.0). At 18.21 sssd became unavailable. See > below > > On Wed, 24 Feb 2016 09:24:47 +0100 > Jakub Hrozek wrote: > > > > > > > Do you think this is OK? Did it try to terminate the unresponsive > > > sssd_be, or did it just t

[Freeipa-users] Re: Cannot get a second FreeIPA client authentication working.

On Fri, Jul 14, 2017 at 09:57:44AM +1200, Patrick McHale via FreeIPA-users wrote: > Hi, > > > > I have had a success with installing the FreeIPA system but I needed to add > another client in order to reproduce the steps required for > > building a client to authenticate with the server. I did

[Freeipa-users] Re: Unable to login as user

On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via FreeIPA-users wrote: > Hi, > > I am getting an error logging into a FreeIPA server from a new FreeIPA > client. I have reset the password for the user using "kinit admin" but still > no joy. Is there another password that is needin

[Freeipa-users] Re: Unable to login as user

On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote: > Hi Jakub, > > Apologies for hijacking the thread but you reminded me of a longstanding > issue - I can't manually use kinit on my client nodes. As I operate a jump > server that means I get a ticket on first login but

[Freeipa-users] Re: ipa-client-install generates bad sssd.conf

On Thu, Jul 20, 2017 at 02:33:50PM +0200, John Keates via FreeIPA-users wrote: > Hi, > > Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 > generates a broken SSSD configuration. > Adding the services manually to sssd.conf fixes this: > > services = nss, sudo, pam, ssh > > F

[Freeipa-users] Re: Two way trust problem

On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote: > We've setup a two-way trust with AD and it seems to have worked, but it > doesn't look like it is working correctly. > > The kerberos commands (kinit and kvno) work fine, but things like 'id > adu...@addomain.example.

[Freeipa-users] Re: Two way trust problem

On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote: > Looks like I got the rootDSE, 109 lines of information and got the > following at the end. I don't know much about ldap so I'm guessing this > was successful Yes, so the trust indeed works. >. And, yes I did get a

[Freeipa-users] Re: diskless workstations in an IPA domain

child being called despite selinux_provider=none) > > Hope this helps... > Jacquelin > > Le 14/10/2016 à 10:02, Jakub Hrozek a écrit : > > On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote: > > > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Ch

[Freeipa-users] Re: AD trust setup woes

On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote: > I have been trying to reliably get an AD trust setup for a few weeks and no > matter what I try, when I goto add AD users to an external group in > FreeIPA, I get: > > "trusted domain object not found" > > Googling ar

[Freeipa-users] Re: AD trust setup woes

On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > wrote: >

[Freeipa-users] Re: AD trust setup woes

On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote: > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek wrote: > > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > > >

[Freeipa-users] Re: AD trust setup woes

On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users wrote: > On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck wrote: > > > On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek wrote: > > > >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote: > >

[Freeipa-users] Announcing SSSD 1.15.3

one more test for filtered out users/groups * SYSDB: Return ERR_NO_TS when there's no timestamp cache present * SYSDB: Internally expose sysdb_search_ts_matches() * SYSDB: Make the usage of the filter more generic for search_ts_matches() * SYSDB_OPS: Mark an entry as expir

[Freeipa-users] Re: AD trust setup woes

On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote: > On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users &g

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

On Thu, Jul 27, 2017 at 02:15:33AM +, Michael Papet via FreeIPA-users wrote: > >If the _srv_ is enabled then am i correct in assuming that we wouldn't even > >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable > >to authenticate. > In my experience, sssd relies upon t

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via FreeIPA-users wrote: > I uploaded krb5_child.log and ldap_child.log to > https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD I think the child just times out during TGT validation, see: (Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765]]]

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

On Thu, Jul 27, 2017 at 02:19:38PM +, pgb205 via FreeIPA-users wrote: > Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy > krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records. > Can you also please comment on why I'm only getting lookups on the f

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

On Fri, Jul 28, 2017 at 02:05:05AM -, pgb 205 via FreeIPA-users wrote: > Here is the log that I sent in yesterday. With > server1 and server2 down, but server3 up. > > kdc=server1 > kdc=server2 > kdc=server3 > kdc_master=server1 > kdc_master=server2 > kdc_master=server3 > > kinit tries server

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote: > Bull-eye Jakub, that did the trick. I should have posted for help on the > mailing list sooner. Thanks you so much, you are saving my ass. > > It makes sense to increase the krb5_auth_timeout as my AD domain > controllers servers a

[Freeipa-users] Re: AD trust setup woes

On Tue, Aug 01, 2017 at 11:20:16AM -, Igor Sever via FreeIPA-users wrote: > I have the same error. > I established two-way trust with AD which went fine. > Authentication with Kerberos to AD is working. > Since I have one test FreeIPA which is working correctly (relatively) I > compared logs a

[Freeipa-users] Re: AD trust setup woes

On Wed, Aug 02, 2017 at 11:40:46AM -, Igor Sever via FreeIPA-users wrote: > There is no gidNumber attribute on AD group objects. If I want to apply > posix attributes directly in AD, then I don't need FreeIPA, do I... Many users and customers have an existing environment where some machines ar

[Freeipa-users] Re: SUDO Rules not getting processed

On Fri, Aug 04, 2017 at 09:05:20AM -0300, Felipe Barreto Volpone via FreeIPA-users wrote: > Hi Alka, > > I think you can get useful info here: https://www.redhat.com/ > archives/freeipa-users/2017-May/msg00028.html Also this might be useful to pinpoint the issue: https://docs.pagure.org/SSSD

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

all your replicas are either trust agents or you ran “ipa-adtrust-install” on them? > > > Any thoughts ? > > Thanks, > Alex > > > On Tue, Aug 1, 2017 at 2:58 AM, Jakub Hrozek <mailto:jhro...@redhat.com>> wrote: > On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexan

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

> On 7 Aug 2017, at 07:01, Sameer Gurung via FreeIPA-users > wrote: > > Hi All, > > I have a network consisting of both windows and linux clients running windows > server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows > clients authenticate against the AD DC (domain w

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

> On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users > wrote: > > Judging by: (Mon Aug 7 05:30:14 2017) [[sssd[krb5_child[26789 [create_ccache] (0x0020): 735: [13][Permission denied] I would check the permissions on the /tmp directory. _

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

; On Mon, Aug 7, 2017 at 11:57 AM, Jakub Hrozek <mailto:jhro...@redhat.com>> wrote: > > > On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users > > > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > > > Judging by: > (M

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

>]]] [sbus_dispatch] (0x4000): Dispatching. > > This means sssd is idle and just receiving heartbeat pings from the monitor, did you attempt the login? Btw the messages look like the debug logs, not the strace.. > On Mon, Aug 7, 2017 at 1:52 PM, Jakub Hrozek <mailto:jhro...@

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

: ldap_sasl_bind failed (-2)[Local error] (Mon Aug 7 14:49:53 2017) [sssd[be[domain.ad.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor c ode may provide more information (Server krbtgt/ad@ipa.ad.com not found i

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 14:37, Supratik Goswami via FreeIPA-users > wrote: > > Can someone please help me to figure out the issue? > > Please let me know if any other information is required > Describing how you set up the idview and providing SSSD logs is a good start. - idoverrideuser-show

[Freeipa-users] Re: Unable to login with AD users

> On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users > wrote: > > Hello, > > I have created a FreeIPA solution using Red Hat’s IDM product. > FreeIPA version: 4.5.0 > OS version: RHEL 7.4 > > I have successfully installed the server portion and can authenticate to it > using local

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

dates --mkhomedir > --domain=domain.ad.com <http://domain.ad.com/> --realm=IPA.AD.COM > <http://ipa.ad.com/> --server=ipaserver01.ipa.ad.com > <http://ipaserver01.ipa.ad.com/> --server=ipaserver02.ipa.ad.com > <http://ipaserver02.ipa.ad.com/> --no-ntp --debug > &g

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 16:02, Supratik Goswami via FreeIPA-users > wrote: > > (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp. > example .com > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

http://ipa.ad.com/>? > > ad.com <http://ad.com/> is my Active Directory domain. > domain.ad.com <http://domain.ad.com/> is a sub domain that was delegated from > the AD DNS to the freeipa servers > ipa.ad.com <http://ipa.ad.com/> is also a sub domain that was dele

[Freeipa-users] Re: Show AD groups members from command line

> On 9 Aug 2017, at 17:21, Steve Weeks via FreeIPA-users > wrote: > > I can use 'id ad_user@ad_domain' command to see what groups an ad_user is a > member of. > > Is there a way from the Linux command line to see who are the member of > some_ad_group@ad_domain are? > getent group some_ad_g

[Freeipa-users] Re: ID view is not overriding user attributes

(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0] (Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu A

[Freeipa-users] Re: Unable to login with AD users

p is a Global or Universal one. The forest > level is Windows 2012, if that helps at all. > > David Eddleman > > From: FreeIPA User Group > Reply-To: FreeIPA User Group > Date: Wednesday, August 9, 2017 at 8:22 AM > To: FreeIPA User Group > Cc: Jakub Hrozek &

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

> On 12 Aug 2017, at 20:14, Alexander Bokovoy via FreeIPA-users > wrote: > > To close this thread, I helped Alexandre on the IRC. The basic issue is > that one needs to plan domain space carefully when using trust to AD. > Active Directory is more than just DNS zones, LDAP, Kerberos and > frien

[Freeipa-users] Re: Fedora 26 upgrade, mkhomedir stops working

On Mon, Aug 14, 2017 at 11:05:23AM -0400, Steve Weeks via FreeIPA-users wrote: > This is what I get in sssd_pam.log: > > [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][ > ad.example.com] > [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied. > > I don't t

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote: > Hi Alexander, > > You're correct, turns out I wasn't using the correct domain for the > --domain parameter. I thought I was. Here's the command I used. > > ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomed

[Freeipa-users] Re: Kerberos key having multiple sever entries

On Tue, Aug 15, 2017 at 10:23:25PM +, Bhavin Vaidya via FreeIPA-users wrote: > Hello, > > > We have Kerberos authentication failing on our replica server as well as > client. We are also not able to add any more client or replica server. > > > Master FreeIPA server ds01:/etc/krb5.keytab, w

[Freeipa-users] Re: Why "w" does not list AD users

On Wed, Aug 16, 2017 at 01:04:05PM +0530, Supratik Goswami via FreeIPA-users wrote: > I have configured trust between AD and IPA and Linux machines are member of > IPA domain. > When I log into any of the Linux machine and type "w" it does not list the > user AD user with which I just logged in.

[Freeipa-users] Re: Why "w" does not list AD users

On Fri, Aug 18, 2017 at 11:41:02AM +0530, Supratik Goswami wrote: > Hi Jakub > > I was trying to login to the box as usern...@addomain.com > . > > After some research I came across this post https://www.freeipa.org/ > page/V4/AD_User_Short_Names and I am able to to now login using the user > shor

[Freeipa-users] Re: Why "w" does not list AD users

On Fri, Aug 18, 2017 at 03:09:05PM +0530, Supratik Goswami wrote: > > > > What do you mean by user ID? The numeric UID? How do you invoke ps? > > > Yes, numeric UID. When I type "ps aux" I get the following output > > 1759001108 2375 0.0 0.4 146900 4084 ?S08:55 0:00 sshd: > testu

[Freeipa-users] Re: AD-Trust users not known

On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > for testing i've installed an FreeIPA-Server with a trust to an > AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com', > on IdM member client not. > > AD-Domain is Server 2012R2 as 'exam

[Freeipa-users] Re: Why "w" does not list AD users

t; on both the client and server,then do: getent passwd 1759001108 and attach the logs from the client (complete) and the server (NSS log is enough) ? > > > > On Fri, Aug 18, 2017 at 3:22 PM, Jakub Hrozek wrote: > > > >> On Fri, Aug 18, 2017 at 03:09:05PM +05

[Freeipa-users] Re: annoying messages systemd: pam_sss(systemd-user:account): Access denied for user (Permission denied)

On Fri, Aug 18, 2017 at 03:44:17PM +0200, Kees Bakker via FreeIPA-users wrote: > Hi, > > This is on Ubuntu 16.04 systems configured as FreeIPA clients. Logging in > through ssh > is successful. But in /var/log/auth.log there are annoying messages like this: > > Aug 18 15:38:02 client1 system

[Freeipa-users] Re: Why "w" does not list AD users

On Fri, Aug 18, 2017 at 07:13:13PM +0530, Supratik Goswami via FreeIPA-users wrote: > When executed in the server I get the below logs > > (Fri Aug 18 08:18:26 2017) [sssd[nss]] [orderly_shutdown] (0x0010): > SIGTERM: killing children > (Fri Aug 18 08:20:04 2017) [sssd[nss]] [orderly_shutdown] (0

[Freeipa-users] Re: Why "w" does not list AD users

e_timeout = 60 > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > On Fri, Aug 18, 2017 at 7:28 PM, Supratik Goswami > wrote: > > > > > > > On Fri, Aug 18, 2017 at 7:20 PM, Jakub Hrozek via FreeIPA-users < > >

[Freeipa-users] Re: Why "w" does not list AD users

2017 at 7:46 PM, Jakub Hrozek wrote: > > > On Fri, Aug 18, 2017 at 07:38:21PM +0530, Supratik Goswami wrote: > > > Here is my sssd.conf file > > > > > > [sssd] > > > config_file_version = 2 > > > services = nss, sudo, pam, ssh >

[Freeipa-users] Re: FreeIPA failover not working

On Wed, Aug 23, 2017 at 05:13:13PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > we are testing a FreeIPA trust to an Active Directory. Trust itself > works, we are happy. Now we tested a failure on FreeIPA site. We have > two instances, both with same roles. If we poweroff first install

[Freeipa-users] Re: Radius authentication trouble

On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote: > We are running FreeIPA 4.4 on Centos 7 and trying to use radius > authentication. > > Using radtest and radclient work fine and we can authenticate a user. > > The radius proxy and secret are set to match the values

[Freeipa-users] Re: Centos/Redhat 7.4

On Thu, Aug 24, 2017 at 08:18:42AM -0600, Kristian Petersen via FreeIPA-users wrote: > If you are using Samba with FreeIPA, you may want to wait to upgrade to > 7.4. There is a bug in a library that comes with sssd that will break it > for you. RedHat is recommending to wait for now. The only b

[Freeipa-users] Re: FreeIPA failover not working

; IPA.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = > false ticket_lifetime = 24h forwardable = yes default_ccache_name = > KEYRING:persistent:%{uid} [realms] IPA.EXAMPLE.COM = { pkinit_anchors = > FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.example.com = IPA.EXAMPLE.COM > ipa

[Freeipa-users] Re: site server lookup query

On Sat, Aug 19, 2017 at 06:41:28AM +, Craig H Silva (CenITex) via FreeIPA-users wrote: > The circumstances/environment are a little unusual. > > We have a secure zone in which Windows AD has read-only domain controllers as > a security measure which we use to authenticate against. The read-w

[Freeipa-users] Re: Why "w" does not list AD users

On Wed, Aug 23, 2017 at 06:43:04PM +0530, Supratik Goswami wrote: > Hi Jakub > > The logs are captured at the same time from both servers, you are seeing > this difference because of different timezone setting. > IPA server was at EDT and the Linux machine is set to UTC, I have made that > fix now

[Freeipa-users] Re: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i

On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote: > Thank you, for your answer. > > How can i avoid this mixing of packages? > > Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-( > > What can i do to only install 7.2 and the patches for 7.2

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

On Wed, Aug 30, 2017 at 07:21:11PM +, Z D via FreeIPA-users wrote: > Hi there, > > we're using ipa-server-4.4.0 (without its own DNS) and are facing the > situation with A/CNAME host. > > Basically a host is installed with CNAME as the OS, and IPA is aware of only > A record since host is j

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

On Wed, Aug 30, 2017 at 08:51:24PM +, Z D wrote: > > Does ipa_hostname in sssd.conf point to cname (or, the hostname registered > > with IPA) ? > > > It points to the DNS A record, the one that is registered with IPA. Pavel, is a setup with a machne where the hostname in IPA doesn't match t

[Freeipa-users] Re: freeipa sudo expiration

On Fri, Sep 01, 2017 at 03:02:34PM -0600, Scott Lucas via FreeIPA-users wrote: > Hi, > > I have a global password policy set for unlimited on expiration date, > however a user who has no issues logging in as himself, got a password > expiration notice when he recently used sudo. I can't seem to fi

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users wrote: > On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone > wrote: > > What version of IPA are you running? > > ipa-server-4.5.0-21.el7.x86_64 > > > Is SELinux in permissive mode? > > Not normally, but I set it to pe

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

e that's > the one of the three machines that is working properly for password > authentication through the web UI I'm reluctant to do so) > > On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users > wrote: > > On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve H

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

On Tue, Sep 05, 2017 at 02:48:59PM -0400, Steve Huston via FreeIPA-users wrote: > On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users > wrote: > > - is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? > > What does it contain? > > T

[Freeipa-users] Re: Proxmox pam authentication

On Thu, Sep 07, 2017 at 11:02:50AM +0200, Maciej Drobniuch via FreeIPA-users wrote: > Hey Freeipa users! > > Proxmox supports pam logins from webui and it is debian based. > > I've used the following guide to install freeipa unofficial packages. > http://clusterfrak.com/sysops/app_installs/freei

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

> On 10 Sep 2017, at 06:18, Jochen Hein via FreeIPA-users > wrote: > > Torsten Harenberg via FreeIPA-users > writes: > >> Suddenly, our Linux Mint clients refrain from logging in users and >> throw a system error. I increased the log level and the relevant lines >> seem to be: >> >> (Sun Sep

[Freeipa-users] Re: AD trust setup woes

> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users > wrote: > > It looks like my problems with AD trust on server side went away when I > upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is > only half of the way. > I have alot of SLES servers 11 and 12, but it

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: > > On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: > > > Hi Mark, > > > > > > Not all CentOS releases are created equal. Supp

<    1   2