[Freeipa-users] Why "w" does not list AD users
I have configured trust between AD and IPA and Linux machines are member of IPA domain. When I log into any of the Linux machine and type "w" it does not list the user AD user with which I just logged in. Is this a expected behaviour or am I missing something? -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ID view is not overriding user attributes
(Wed Aug 9 04:20:14 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=supratik.goswami))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=corp,dc=example,dc=com] What I could see here is that it is searching as 'supratik.goswami' and not 'supratik.gos...@ad.corp.example.com' which is the ID View user in the IPA. How do I fix this? On Wed, Aug 9, 2017 at 8:53 AM, Supratik Goswamiwrote: > Hello everyone, > > I have a trust setup between AD and IPA, I have created a user in the > "Default Trust View" and > updated the ssh public keys for that user. > > When I am trying to login to any Linux system using the ad user it is not > able to find the keys. > > Here is the sshd debug log. > > Aug 9 03:04:01 host01 sshd[20102]: debug3: Running AuthorizedKeysCommand: > "/usr/bin/sss_ssh_authorizedkeys supratik.gosw...@ad.corp.example.com" as > "nobody" > Aug 9 03:04:01 host01 sshd[20102]: debug1: restore_uid: 0/0 > Aug 9 03:04:01 host01 sshd[20102]: debug1: temporarily_use_uid: 99/99 > (e=0/0) > Aug 9 03:04:01 host01 sshd[20106]: debug3: sshd_selinux_setup_variables: > setting execution context > Aug 9 03:04:01 host01 sshd[20102]: debug2: key not found > Aug 9 03:04:01 host01 sshd[20102]: debug1: restore_uid: 0/0 > > My sshd_config file has the following entries > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > What could be the issue? > > > Thanks > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ID view is not overriding user attributes
Can someone please help me to figure out the issue? Please let me know if any other information is required On Wed, Aug 9, 2017 at 9:54 AM, Supratik Goswamiwrote: > (Wed Aug 9 04:20:14 2017) [sssd[be[ipa.corp.example.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=supratik.goswami))][cn=Default Trust > View,cn=views,cn=accounts,dc=ipa,dc=corp,dc=example,dc=com] > > What I could see here is that it is searching as 'supratik.goswami' and > not 'supratik.gos...@ad.corp.example.com' which is the ID View user in > the IPA. > > How do I fix this? > > On Wed, Aug 9, 2017 at 8:53 AM, Supratik Goswami > wrote: > >> Hello everyone, >> >> I have a trust setup between AD and IPA, I have created a user in the >> "Default Trust View" and >> updated the ssh public keys for that user. >> >> When I am trying to login to any Linux system using the ad user it is not >> able to find the keys. >> >> Here is the sshd debug log. >> >> Aug 9 03:04:01 host01 sshd[20102]: debug3: Running >> AuthorizedKeysCommand: "/usr/bin/sss_ssh_authorizedkeys >> supratik.gosw...@ad.corp.example.com" as "nobody" >> Aug 9 03:04:01 host01 sshd[20102]: debug1: restore_uid: 0/0 >> Aug 9 03:04:01 host01 sshd[20102]: debug1: temporarily_use_uid: 99/99 >> (e=0/0) >> Aug 9 03:04:01 host01 sshd[20106]: debug3: sshd_selinux_setup_variables: >> setting execution context >> Aug 9 03:04:01 host01 sshd[20102]: debug2: key not found >> Aug 9 03:04:01 host01 sshd[20102]: debug1: restore_uid: 0/0 >> >> My sshd_config file has the following entries >> >> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys >> AuthorizedKeysCommandUser nobody >> >> What could be the issue? >> >> >> Thanks >> >> -- >> Warm Regards >> >> Supratik >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ID view is not overriding user attributes
Hi Jakub, Thanks for looking into the issue, please find the details you have requested. 1. ipa idoverrideuser-show "Default Trust View" supratik.gosw...@ad.corp.example.com Anchor to override: supratik.gosw...@ad.corp.example.com Login shell: /bin/bash SSH public key: ssh-rsa B3NzaC1yc2EDAQABAAABAQDzeYIANc6N/96ko+cxz3aZVvGnttWjA8+939hb2eWFfM+2SKhVJylU0GPrHpKDRuE2letQxdPE+jI4gabiM3p0x7BeuxDPrPtQ5CoOK9JmYrEuom89p6UPs9tZCtx2glWSybeSENtPLj9pxfZN7dJvYtrGwSrgYHNtJ9dyEVN34ho1ZEsw3ARJW0sV4ccBJNuKEeswotCvWJag9L4yBQf7mUEJpKAcKfrPocP4BC1PiTQ5mgtykcd88dakd0zATpVS99t+JABH95MhXt4kKYgLg1wiqg8NKxz5Nkn9k1BGxM9NNZ3lA0zrijJVcwdsRDvl6rFyXUCHXaDJZR5Pehdv supratik@Supratiks-MacBook-Pro.local 2. ipa idoverrideuser-show "Default Trust View" supratik.gosw...@ad.corp.example.com --all --raw dn: ipaanchoruuid=:SID:S-1-5-21-3704658179-702631923-1581593159-1129,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=corp,dc=example,dc=com ipaanchoruuid: :SID:S-1-5-21-3704658179-702631923-1581593159-1129 loginshell: /bin/bash ipasshpubkey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEemVZSUFOYzZOLzk2a28rY3h6M2FaVnZHbnR0V2pBOCs5MzloYjJlV0ZmTSsyU0toVkp5bFUwR1BySHBLRFJ1RTJsZXRReGRQRStqSTRnYWJpTTNwMHg3QmV1eERQclB0UTVDb09LOUptWXJFdW9tODlwNlVQczl0WkN0eDJnbFdTeWJlU0VOdFBMajlweGZaTjdkSnZZdHJHd1NyZ1lITnRKOWR5RVZOMzRobzFaRXN3M0FSSlcwc1Y0Y2NCSk51S0Vlc3dvdEN2V0phZzlMNHlCUWY3bVVFSnBLQWNLZnJQb2NQNEJDMVBpVFE1bWd0eWtjZDg4ZGFrZDB6QVRwVlM5OXQrSkFCSDk1TWhYdDRrS1lnTGcxd2lxZzhOS3h6NU5rbjlrMUJHeE05Tk5aM2xBMHpyaWpKVmN3ZHNSRHZsNnJGeVhVQ0hYYURKWlI1UGVoZHYgc3VwcmF0aWtAU3VwcmF0aWtzLU1hY0Jvb2stUHJvLmxvY2Fs ipaoriginaluid: supratik.gosw...@ad.corp.example.com objectClass: ipaOverrideAnchor objectClass: top objectClass: ipaUserOverride objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys sshpubkeyfp: 1A:6E:50:EC:5C:DD:9F:80:39:B2:81:C3:49:61:73:67 supratik@Supratiks-MacBook-Pro.local (ssh-rsa) 3. date; sss_ssh_authorizedkeys supratik.gos...@ad.corp.example.com; date Wed Aug 9 13:58:13 UTC 2017 Error looking up public keys Wed Aug 9 13:58:13 UTC 2017 (Wed Aug 9 13:58:12 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x23ff770 (Wed Aug 9 13:58:12 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 9 13:58:12 2017) [sssd[be[ipa.corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Aug 9 13:58:12 2017) [sssd[be[ipa.corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x2420ca0 (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=supratik.goswai] (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.corp.example.com] to [ad.corp.example.com] (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Wed Aug 9 13:58:22 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x23ff770 (Wed Aug 9 13:58:22 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 9 13:58:22 2017) [sssd[be[ipa.corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Aug 9 13:58:22 2017) [sssd[be[ipa.corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit On Wed, Aug 9, 2017 at 6:43 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On 9 Aug 2017, at 14:37, Supratik Goswami via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > Can someone please help me to figure out the issue? > > Please let me know if any other information is required > > > Describing how you set up the idview and providing SSSD logs is a good > start. > > - idoverrideuser-show “Default Trust View” supratik.gos...@ad.corp. > example.com > - the same with —all —raw > - enable sssd logs on the client > - run: date; sss_ssh_authorizedkeys supratik.gos...@ad.corp.example.com; > date > - attach the sssd logs > > On Wed, Aug 9, 2017 at 9:54 AM, Supratik Goswami <supratiksek...@gmail.com > > wrote: > >
[Freeipa-users] Re: Unable to SSH into Linux machine using AD user
SSSD version: sssd-1.13.0-40.7.amzn1.x86_64 Linux OS: Amazon Linux I am seeing only these messages repeated continuously. (Mon Aug 7 08:37:49 2017) [sssd[be[ipa.corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Aug 7 08:37:49 2017) [sssd[be[ipa.corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Aug 7 08:37:59 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x12e4650 (Mon Aug 7 08:37:59 2017) [sssd[be[ipa.corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching. On Mon, Aug 7, 2017 at 1:52 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > Which sssd version is this on what OS? > > stracing the sssd processes might help, using this in the [domain] section: > command = strace -ff -o /tmp/sssd_be_strace /usr/libexec/sssd/sssd_be > --debug-level=10 --domain ipa.example.com --uid=0 --gid=0 > (You’d need to substitute ipa.example.com for your domain, just see how > the processes are invoked normally in systemctl status sssd) > > On 7 Aug 2017, at 08:37, Supratik Goswami <supratiksek...@gmail.com> > wrote: > > Hi Jakub > > /tmp directory has permission > > drwxrwxrwt 7 root root 4096 Aug 7 05:46 /tmp > > On Mon, Aug 7, 2017 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> >> > On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> > >> > >> >> Judging by: >> (Mon Aug 7 05:30:14 2017) [[sssd[krb5_child[26789 [create_ccache] >> (0x0020): 735: [13][Permission denied] >> >> I would check the permissions on the /tmp directory. >> >> > > > -- > Warm Regards > > Supratik > > > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Unable to SSH into Linux machine using AD user
Hi Jakub /tmp directory has permission drwxrwxrwt 7 root root 4096 Aug 7 05:46 /tmp On Mon, Aug 7, 2017 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > > Judging by: > (Mon Aug 7 05:30:14 2017) [[sssd[krb5_child[26789 [create_ccache] > (0x0020): 735: [13][Permission denied] > > I would check the permissions on the /tmp directory. > > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Unable to SSH into Linux machine using AD user
Hi I am using trust between AD and IPA AD domain: ad.corp.example.com IPA domain: ipa.corp.example.com I am able to login using SSH to the IPA server using the AD user, when I am trying to login using SSH to the Linux client which is a member of the IPA domain it does not work. Please find my /etc/krb5.conf in the client machine below [libdefaults] #default_realm = IPA.CORP.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 # default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.CORP.EXAMPLE.COM = { kdc = ipa01.ipa.corp.example.com:88 master_kdc = ipa01.ipa.corp.example.com:88 admin_server = ipa01.ipa.corp.example.com:749 #default_domain = ipa.corp.example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.CORP.EXAMPLE.COM$)s/@ AD.CORP.EXAMPLE.COM/@ad.corp.example.com/ auth_to_local = DEFAULT } AD.CORP.EXAMPLE.COM = { kdc = ad01.ad.corp.example.com:88 master_kdc = ad01.ad.corp.example.com:88 } [domain_realm] .ipa.corp.example.com = IPA.CORP.EXAMPLE.COM ipa.corp.example.com = IPA.CORP.EXAMPLE.COM .ad.corp.example.com = AD.CORP.EXAMPLE.COM ad.corp.example.com = AD.CORP.EXAMPLE.COM Please find my SSD config below [sssd] config_file_version = 2 services = nss, sudo, pam, ssh domains = ipa.corp.exampl.com [nss] homedir_substring = /home [domain/ipa.corp.example.com] debug_level = 9 krb5_store_password_if_offline = True id_provider = ipa auth_provider = ipa access_provider = ipa cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.corp.example.com ipa_hostname = host01.ipa.corp.example.com ipa_server = _srv_, ipa01.ipa.corp.example.com chpass_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt dns_discovery_domain = ipa.corp.example.com [pam] [sudo] [autofs] [ssh] [pac] [ifp] Please find the krb5_child.log attached. Please help me to understand what I am missing here or what may be the issue. Thanks -- Warm Regards Supratik krb5_child.log Description: Binary data ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Why "w" does not list AD users
Hi Jakub I was trying to login to the box as usern...@addomain.com <usern...@adserver.addomain.com>. After some research I came across this post https://www.freeipa.org/ page/V4/AD_User_Short_Names and I am able to to now login using the user short name it is also now showing after I type "w" but now in the "ps" output it is listing the user id but not the user name. Any pointers would be greatly appreciated Thanks! On Wed, Aug 16, 2017 at 5:59 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Wed, Aug 16, 2017 at 01:04:05PM +0530, Supratik Goswami via > FreeIPA-users wrote: > > I have configured trust between AD and IPA and Linux machines are member > of > > IPA domain. > > When I log into any of the Linux machine and type "w" it does not list > the > > user AD user with which I just logged in. > > How exactly did you log in? > > I'm not sure if my knowledge of these details is correct, but I thought > that programs like "w" look at the utmp file which is these days handled > by systemd-logind. So I would say that whether the user should be listed > also depends on whether the login creates a logind session. Notably "su" > does not create a session, but e.g. ssh or login through the text > console does. > > Typing "loginctl" should give some info as well. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Why "w" does not list AD users
Hi Jakub The logs are captured at the same time from both servers, you are seeing this difference because of different timezone setting. IPA server was at EDT and the Linux machine is set to UTC, I have made that fix now. Do you want me to send the logs again? On Mon, Aug 21, 2017 at 8:12 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > The client and server logs are 4 hours apart, do you have log files that > capture the same time interval? > > On Fri, Aug 18, 2017 at 07:52:44PM +0530, Supratik Goswami wrote: > > Yes, sorry my mistake. > > > > Please find the log entries from both server and client > > > > On Fri, Aug 18, 2017 at 7:46 PM, Jakub Hrozek <jhro...@redhat.com> > wrote: > > > > > On Fri, Aug 18, 2017 at 07:38:21PM +0530, Supratik Goswami wrote: > > > > Here is my sssd.conf file > > > > > > > > [sssd] > > > > config_file_version = 2 > > > > services = nss, sudo, pam, ssh > > > > domains = ipadomain.com > > > > default_domain_suffix = adadomain.com > > > > full_name_format = %1$s > > > > > > > > [nss] > > > > homedir_substring = /home > > > > > > --> the debug_level goes here > > > > > > > > > > > [domain/ipadomain.com] > > > > krb5_use_enterprise_principal = True > > > > > > > > debug_level = 9 > > > > krb5_store_password_if_offline = True > > > > id_provider = ipa > > > > auth_provider = ipa > > > > access_provider = ipa > > > > cache_credentials = True > > > > krb5_store_password_if_offline = True > > > > ipa_domain = ipadomain.com > > > > ipa_hostname = ef01.ipadomain.com > > > > ipa_server = ipa01.ipadomain.com > > > > chpass_provider = ipa > > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > > dns_discovery_domain = ipadomain.com > > > > > > > > entry_cache_timeout = 60 > > > > [pam] > > > > > > > > [sudo] > > > > > > > > [autofs] > > > > > > > > [ssh] > > > > > > > > [pac] > > > > > > > > [ifp] > > > > > > > > On Fri, Aug 18, 2017 at 7:28 PM, Supratik Goswami < > > > supratiksek...@gmail.com> > > > > wrote: > > > > > > > > > > > > > > > > > > > On Fri, Aug 18, 2017 at 7:20 PM, Jakub Hrozek via FreeIPA-users < > > > > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > > > > > >> On Fri, Aug 18, 2017 at 07:13:13PM +0530, Supratik Goswami via > > > > >> FreeIPA-users wrote: > > > > >> > When executed in the server I get the below logs > > > > >> > > > > > >> > (Fri Aug 18 08:18:26 2017) [sssd[nss]] [orderly_shutdown] > (0x0010): > > > > >> > SIGTERM: killing children > > > > >> > (Fri Aug 18 08:20:04 2017) [sssd[nss]] [orderly_shutdown] > (0x0010): > > > > >> > SIGTERM: killing children > > > > >> > (Fri Aug 18 08:20:11 2017) [sssd[nss]] [orderly_shutdown] > (0x0010): > > > > >> > SIGTERM: killing children > > > > >> > (Fri Aug 18 08:23:32 2017) [sssd[nss]] [orderly_shutdown] > (0x0010): > > > > >> > SIGTERM: killing children > > > > >> > > > > > >> > In the client side the log file is empty > > > > >> > > > > >> Well, we don't log anything by default, you need to increase the > debug > > > > >> level. See https://docs.pagure.org/SSSD. > sssd/users/troubleshooting. > > > html > > > > >> > > > > >> > > > > > I have set the debug level to 9 but still does not log anything. > > > > > > > > > > debug_level = 9 > > > > > > > > > > > > > > >> > > > > > >> > I also looked at the option full_name_format to see if I can > use the > > > > >> > username and ignore the domain altogether for displaying. > > > > >> > As per the documentation "full_name_format parameter sets how > the > > > user > > > > >> name > > > > >> > and domain name (once determined) are displayed". > > > > >> > But when I set it to *full_name_format = %1$s* I am not able to > > > login > > > > >> > > > > >> This won't work on the server at least, but should work on the > > > clients. > > > > >> But I would suggest to not change the defaults much and only > deviate > > > > >> from the defaults once the baseline works. > > > > >> > > > > > > > > > > I am trying at the client side but after I update this parameter > login > > > > > breaks completely. > > > > > > > > > > > > > > > > > > > >> ___ > > > > >> FreeIPA-users mailing list -- freeipa-users@lists. > fedorahosted.org > > > > >> To unsubscribe send an email to freeipa-users-le...@lists.fedo > > > > >> rahosted.org > > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > > > Warm Regards > > > > > > > > > > Supratik > > > > > > > > > > > > > > > > > > > > > -- > > > > Warm Regards > > > > > > > > Supratik > > > > > > > > > > > -- > > Warm Regards > > > > Supratik > > > > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Why "w" does not list AD users
Here is my sssd.conf file [sssd] config_file_version = 2 services = nss, sudo, pam, ssh domains = ipadomain.com default_domain_suffix = adadomain.com full_name_format = %1$s [nss] homedir_substring = /home [domain/ipadomain.com] krb5_use_enterprise_principal = True debug_level = 9 krb5_store_password_if_offline = True id_provider = ipa auth_provider = ipa access_provider = ipa cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipadomain.com ipa_hostname = ef01.ipadomain.com ipa_server = ipa01.ipadomain.com chpass_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt dns_discovery_domain = ipadomain.com entry_cache_timeout = 60 [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Fri, Aug 18, 2017 at 7:28 PM, Supratik Goswami <supratiksek...@gmail.com> wrote: > > > On Fri, Aug 18, 2017 at 7:20 PM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> On Fri, Aug 18, 2017 at 07:13:13PM +0530, Supratik Goswami via >> FreeIPA-users wrote: >> > When executed in the server I get the below logs >> > >> > (Fri Aug 18 08:18:26 2017) [sssd[nss]] [orderly_shutdown] (0x0010): >> > SIGTERM: killing children >> > (Fri Aug 18 08:20:04 2017) [sssd[nss]] [orderly_shutdown] (0x0010): >> > SIGTERM: killing children >> > (Fri Aug 18 08:20:11 2017) [sssd[nss]] [orderly_shutdown] (0x0010): >> > SIGTERM: killing children >> > (Fri Aug 18 08:23:32 2017) [sssd[nss]] [orderly_shutdown] (0x0010): >> > SIGTERM: killing children >> > >> > In the client side the log file is empty >> >> Well, we don't log anything by default, you need to increase the debug >> level. See https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >> >> > I have set the debug level to 9 but still does not log anything. > > debug_level = 9 > > >> > >> > I also looked at the option full_name_format to see if I can use the >> > username and ignore the domain altogether for displaying. >> > As per the documentation "full_name_format parameter sets how the user >> name >> > and domain name (once determined) are displayed". >> > But when I set it to *full_name_format = %1$s* I am not able to login >> >> This won't work on the server at least, but should work on the clients. >> But I would suggest to not change the defaults much and only deviate >> from the defaults once the baseline works. >> > > I am trying at the client side but after I update this parameter login > breaks completely. > > > >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Why "w" does not list AD users
In server the ps version is procps-ng version 3.3.10 In the other boxes ps version is procps version 3.2.8 On Fri, Aug 18, 2017 at 5:52 PM, Supratik Goswamiwrote: > In the IPA server I am getting in the below format > > suprati+ 4360 0.0 0.0 172676 2484 ?D08:20 0:00 sshd: > supra...@addomain.com@pts/1 > suprati+ 4361 0.0 0.0 125688 2092 pts/1Ss 08:20 0:00 -bash > suprati+ 4383 0.0 0.0 161360 1828 pts/1R+ 08:20 0:00 ps aux > > On Fri, Aug 18, 2017 at 3:22 PM, Jakub Hrozek wrote: > >> On Fri, Aug 18, 2017 at 03:09:05PM +0530, Supratik Goswami wrote: >> > > >> > > What do you mean by user ID? The numeric UID? How do you invoke ps? >> > >> > >> > Yes, numeric UID. When I type "ps aux" I get the following output >> > >> > 1759001108 2375 0.0 0.4 146900 4084 ?S08:55 0:00 sshd: >> > testu...@addomain.com@pts/0 >> > 1759001108 2376 0.0 0.3 127800 3536 pts/0Ss 08:55 0:00 -sh >> > 1759001108 2399 0.0 0.2 129656 2544 pts/0R+ 08:55 0:00 ps aux >> > >> > I want to see "testuser" instead of "1759001108". How can I achieve it? >> >> Well, that should work. For some reason, the ID-to-name resolution is >> not working. Does it work at least on the server? >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org