On 2017-05-15 21:27, Jakub Hrozek wrote:
[...]
On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
Hi,
I am confronted with a behaviour for which I do not have an explanation for.
I am using NFS4 Kerberos automounted homeshares and and recently I got a
permission denied
Hi,
I am confronted with a behaviour for which I do not have an explanation for.
I am using NFS4 Kerberos automounted homeshares and and recently I got a
permission denied (reproducible when I restart autofs on the server I
want to connect to) from the Windows Domain. So here's what I tried:
On 2017-04-19 13:06, Ronald Wimmer wrote:
[...]
as the default directory (by setting override_homedir in sssd.conf)
oddjob_mkhomedir creates the user directory but I still get a
permission denied when logging in for the first time. (cd /home/user
works)
The only thing I see in the logs
I am trying to automount homeshares (defined in FreeIPA). Now I ran into
a problem with oddjob_mkhomedir.
By default an AD user would get a homedir that looks like
/home/domain/user
In this case oddjob_mkhomedir creates the domain-directory but not more.
If I configure a client to use
Hi,
I am implementing automounted home shares for all my IPA users. When
thinking a little more about the topic two fundamental questions arose:
- Is it a good idea to automount /home even if no local users exist at
the moment?
- Would it be better to leave local users in /home and place IPA
Here are my findings. The problem seems to be related to mkhomedir. By
default my homedir looks like /home/%d/%u. In this case, when a user
logs in for the first time /home/%d gets created and the %u part is
missing. If I create it manually everything works fine.
If i set override_homedir to
I got a little further. Now the share also automounts on the client with
sec set to krb5 but the user still gets a "Permission denied" and cannot
access his home directory. Can it be related to the fact that the user
comes from AD? (Unfortunately, I cannot test with a native IPA user due
to
On 2017-04-13 14:24, Ronald Wimmer wrote:
> [...]
> It was my own fault. I somehow messed up the /etc/krb5.keytab on the
> testclient. After correcting it everything works like a charm.
No. It was notI was mistaken. The problem is:
- sec=sys
when I set sec=sys, the share gets au
On 2017-04-13 12:47, Ronald Wimmer wrote:
On 2017-04-12 17:21, Jason B. Nance wrote:
[...]
You can still use autofs and mkhomdir, just use a direct mount for
/home instead of indirect mounts. In other words, mount "/home"
entirely vs. "/home/" individually.
Thanks for c
On 2017-04-12 17:21, Jason B. Nance wrote:
[...]
You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In
other words, mount "/home" entirely vs. "/home/" individually.
Thanks for clarification. I made a direct map for /home now that looks like:
On 2017-04-12 14:55, Jason B. Nance wrote:
[...]
You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require
that the directory you are attempting to mount already exists on the NFS server and that you
let autofs fully manage the "parent" directory on the
Hi,
I am trying to automount user home shares from an NFS server. Up to now,
without success.
Some details regarding my setup: I have a CentOS 7.3 machine acting as
an NFS server. It is a host within my IPA domain and enrolled as an IPA
client.
[root@ipanfs ~]# cat /etc/exports
On 2017-04-10 13:23, Jakub Hrozek wrote:
[...]
This shouldn't be the case with 1.14+ and wasn't in my testing. Did you
remove the cache (really remove, not just expire with sss_cache) after
you upgraded from 1.13 to 1.14?
If yes, can you run some simple systemtap scripts?
I did not upgrade
On 2017-04-10 12:16, Lukas Slebodnik wrote:
[...]
sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache
directory. After following
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
the problems did nod reappear.
Did you try
On 2017-04-07 10:28, Sumit Bose wrote:
[...]
I'm not aware of any limitation here. Have you tried to run 'ipa
trust-fetch-domains ad.forest.root' to update the list?
If this does not help please add 'log level = 100' to
/usr/share/ipa/smb.conf.empty so that it looks like:
[global]
On 2017-04-08 12:53, Lukas Slebodnik wrote:
On (04/04/17 09:41), Ronald Wimmer wrote:
On 2017-03-31 13:35, Lukas Slebodnik wrote:
On (29/03/17 10:47), Ronald Wimmer wrote:
Hi,
yesterday I suddenly was unable to use the webinterface of my ipa master. SSH
login (with root user) did not work
On 2017-04-08 12:49, Lukas Slebodnik wrote:
[...]
May I ask which version of sssd do you use?
SSSD 1.14
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 2017-04-06 20:50, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
On 2017-04-06 12:16, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
[...]
AD trust:
mydomain.at (forest root)
xyz (subdomain -> where myuser resides)
Zitat von Sumit Bose <sb...@redhat.com>:
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
On 2017-04-06 12:16, Sumit Bose wrote:
> On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> [...]
> > AD trust:
> > mydomain.at (forest root)
> >
On 2017-04-06 12:16, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
[...]
AD trust:
mydomain.at (forest root)
xyz (subdomain -> where myuser resides)
BCC (appearing in krb5_child.log) is not a domain here. It is my company's
name and might derive from s
On 2017-04-06 12:58, Ronald Wimmer wrote:
[...]
BCC (appearing in krb5_child.log) is not a domain here. It is my
company's name and might derive from some information in the AD.
After doing an LDAP search on the domain controller of my AD domain
(xyz.mydomain.at) I found out that my
On 2017-04-06 11:21, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
Hi,
when I try to login to an IPA client with my AD user it works perfectly when
I already have a kerberos ticket for my user. When I do not and I try a
password-based login it fails:
Please
Hi,
when I try to login to an IPA client with my AD user it works perfectly
when I already have a kerberos ticket for my user. When I do not and I
try a password-based login it fails:
Password-based:
(Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
Returning info for
On 2017-04-04 11:19, Jakub Hrozek wrote:
On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote:
Hi,
my IPA master has an AD trust (several thousand users). Since the trust has
been set up I am experiencing that I cannot login on the web interface. Even
connecting via SSH does not work
Hi,
my IPA master has an AD trust (several thousand users). Since the trust
has been set up I am experiencing that I cannot login on the web
interface. Even connecting via SSH does not work or takes extremely
long. When I managed to log in as root via SSH (after waiting and trying
several
On 2017-03-31 13:35, Lukas Slebodnik wrote:
On (29/03/17 10:47), Ronald Wimmer wrote:
Hi,
yesterday I suddenly was unable to use the webinterface of my ipa master. SSH
login (with root user) did not work also.
When I uncommented the setting "memcache_timeout = 600" in the sssd c
On 2017-03-29 11:06, Alexander Bokovoy wrote:
On ke, 29 maalis 2017, Ronald Wimmer wrote:
[...]
Read
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
There are also higher level description at
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
Thanks
Hi,
yesterday I suddenly was unable to use the webinterface of my ipa
master. SSH login (with root user) did not work also.
When I uncommented the setting "memcache_timeout = 600" in the sssd
config file of the master everything seemed to work fine again. (my ipa
setup has a trust to AD)
Hi,
the documentation states "[...] Client machines do not need to be in the
same domain as FreeIPA servers. For example, FreeIPA may be a domain
ipa.example.com and clients in domain clients.example.com, there just
need to be a clear mapping between DNS domain and Kerberos realm. [...]"
29 matches
Mail list logo