> On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users
> wrote:
>
> yes, but I think this is only a side effect. SSSD cannot resolve a
> global catalog server. Does
>
> dig SRV _gc._tcp.td.mydomain.com
>
> return anything when called on the IPA server?
It didn't.
On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users
wrote:
> > Can you do a test on the server by calling
> >
> > id username(a)ad.domain
> >
> > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> > well?
> I uploaded these files to the same
I also observed one peculiar thing when it comes to group membership of the
group which is used in my HBAC rule.
When I issue getent group ad_users on the server, I get:
ad_users:*:101025:j...@td.mydomain.com
In the FreeIPA's web UI membership looks like follows:
External member
On Thu, Jul 13, 2017 at 07:22:58PM -, bogusmaster--- via FreeIPA-users
wrote:
> I've uploaded them here: goo.gl/hiFHKE
Thanks.
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
This indicates that the user cannot be found on the server. There are
Thank you for the answer.
I've verified the status of domain on both server and client.
On a server it appears that IPA domain (ipa.sub.mydomain.com) is always online.
However, status of AD domain (sub.mydomain.com) seems to be fluctuating between
Online and Offline and sometimes sssctl returns
On 13 July 2017 at 00:48, bogusmaster--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via
> FreeIPA-users wrote:
>
> I have verified that hint. I've stopped sssd daemon, cleared the cache and
> started it back again.
> On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users
> wrote:
>
>
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
>
> While on the client during authentication the user data is
What was the IPA version you used? It might be not related, but when i upgraded
sssd to 1.15.2-5 ssh doesn't work for me neither on the FreeIPA server, nor on
the clients. What's more strange, getent passwd for AD users doesn't work for
the clients, although it works for the server.
Thank you for sharing this hint, I am going to try the upgrade. Can I ask
you which version of IPA did you use with that sssd version? Did you
upgrade sssd on each type of server (I mean both client and server)?
I did a test roll out to just the clients before going to all. We are using
the
Thank you for sharing this hint, I am going to try the upgrade. Can I ask you
which version of IPA did you use with that sssd version? Did you upgrade sssd
on each type of server (I mean both client and server)?
Many thanks,
Bart
___
FreeIPA-users
> On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users
> wrote:
>
>
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
>
> While on the client during authentication the user data is
On 7 July 2017 at 00:29, bogusmaster--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Just to add some example of behaviour I described, I configured an AD user
> group membership and granted him access via HBAC rule. Waited approximately
> for 2 hours and then, all of a
Bart,
Which versions of SSSD and FreeIPA are you using?
cheers
L.
--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse
13 matches
Mail list logo