[Freeipa-users] bind-dyndb-ldap, AXFR and DS records

2017-02-08 Thread Ben Roberts
Hi all, This is a question more about bind-dyndb-ldap rather than freeipa, but I understand it's written/maintained by the freeipa project and so this might be the most appropriate place to ask. I have setup bind-dyndb-ldap to read some zones from openldap, with multiple nameservers acting as

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Armaan Esfahani
It worked! Thanks so much for your help. On 2/8/17, 12:20 PM, "Alexander Bokovoy" wrote: On ke, 08 helmi 2017, Armaan Esfahani wrote: >I have found the following. > >[08/Feb/2017:11:14:38 -0500] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]:

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Alexander Bokovoy
On ke, 08 helmi 2017, Armaan Esfahani wrote: I have found the following. [08/Feb/2017:11:14:38 -0500] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [08/Feb/2017:11:14:38 -0500] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Armaan Esfahani
Hey Jeff, that is also happening here, however only with users created after the ipa-adtrust-install. For example, the admin user fails to ever be authenticated despite numerous password resets, yet if I were to create a new account and reset it’s password it works fine. From: Jeff

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Jeff Goddard
I had this same issue and the value was only added after a password change. Jeff On Wed, Feb 8, 2017 at 11:10 AM, Alexander Bokovoy wrote: > On ke, 08 helmi 2017, Armaan Esfahani wrote: > >> I’ve been having issues with some of my IPA seemingly not getting SID’s >> after

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Armaan Esfahani
I have found the following. [08/Feb/2017:11:14:38 -0500] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [08/Feb/2017:11:14:38 -0500] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [755400050] into an unused SID.

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Alexander Bokovoy
On ke, 08 helmi 2017, Armaan Esfahani wrote: I’ve been having issues with some of my IPA seemingly not getting SID’s after the install, even after running with the –add-sids modifier. I was wondering where the SID values are located so that I can take a look at what’s happening/ In the user

[Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Armaan Esfahani
I’ve been having issues with some of my IPA seemingly not getting SID’s after the install, even after running with the –add-sids modifier. I was wondering where the SID values are located so that I can take a look at what’s happening/ -- Armaan Esfahani Advanced Open Systems m:(470)

Re: [Freeipa-users] sudo rules are not active immediatly

2017-02-08 Thread Nathanaël Blanchet
Le 08/02/2017 à 13:00, Pavel Březina a écrit : On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote: Hello, on latest IPA, when adding a command to a rule or a sudo option for example, the change is not active on the user session. For example, after removing !authenticate option, I still can

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-08 Thread Troels Hansen
Cache is verified valid by looking at the cache files /var/lib/sss/db/ ldb files. Also, if I lookup the user on the IPA server I get a fast response. Looking up the user on a client which have a valid cache return the user within a few ms or secs. Invalidating the cache on the client with

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-08 Thread Sullivan, Daniel [CRI]
Are you actually logging in or or just doing a lookup on a user? I remember reading somewhere that groups are always re-evaluated at the point of login, regardless of what is in the cache. I am not sure if this is accurate or the implications of whether or not it is on the client, server or

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-08 Thread Sumit Bose
On Wed, Feb 08, 2017 at 12:44:07PM +0100, Troels Hansen wrote: > Hi, > > Have you tried setting ldap_user_principal to something nonexisting? For > example: > > ldap_user_principal = nosuchattr > > and inherit this to the AD domain with: > > subdomain_inherit = ldap_user_principal > > Both

Re: [Freeipa-users] sudo rules are not active immediatly

2017-02-08 Thread Pavel Březina
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote: Hello, on latest IPA, when adding a command to a rule or a sudo option for example, the change is not active on the user session. For example, after removing !authenticate option, I still can execute sudo commands without password. I tried to

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-08 Thread Troels Hansen
Hi, Have you tried setting ldap_user_principal to something nonexisting? For example: ldap_user_principal = nosuchattr and inherit this to the AD domain with: subdomain_inherit = ldap_user_principal Both in the domain section of sssd. - On Feb 8, 2017, at 12:17 PM, Jan Karásek

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-08 Thread Jan Karásek
Hi, thank you for help. I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really nice. Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still persists. Is there

[Freeipa-users] sudo rules are not active immediatly

2017-02-08 Thread Nathanaël Blanchet
Hello, on latest IPA, when adding a command to a rule or a sudo option for example, the change is not active on the user session. For example, after removing !authenticate option, I still can execute sudo commands without password. I tried to logout and relogin, but nothing changes, but on a

Re: [Freeipa-users] Where in the login process is KRB5CCNAME being set

2017-02-08 Thread Jakub Hrozek
On Wed, Feb 08, 2017 at 09:59:52AM +0100, Kees Bakker wrote: > Hi, > > This is a follow-up on the problem I had with > klist: Invalid UID in persistent keyring name while getting default ccache > (See "How to enable krb5_child log" earlier this month.) > > The situation is that we have local

[Freeipa-users] Where in the login process is KRB5CCNAME being set

2017-02-08 Thread Kees Bakker
Hi, This is a follow-up on the problem I had with klist: Invalid UID in persistent keyring name while getting default ccache (See "How to enable krb5_child log" earlier this month.) The situation is that we have local users with the same name that exist in IPA, but the UIDs are different. We

Re: [Freeipa-users] Smart Card login into an Active Directory User

2017-02-08 Thread Sumit Bose
On Fri, Feb 03, 2017 at 12:59:26PM -0800, spammewo...@cox.net wrote: > > Sumit Bose wrote: > > On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote: > > On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote: > > > I am running an IPA server (4.4.0) on

Re: [Freeipa-users] Ubuntu client 2FA not working

2017-02-08 Thread Sumit Bose
On Mon, Feb 06, 2017 at 01:56:06PM +, Tommy Nikjoo wrote: > Hi, > > I'm having some issues with 2FA PAM config's on Ubuntu clients. > Currently, I'm guessing that the PAM module doesn't know how to talk to > the 2FA protocol. Is anyone able to give an in site into how to get > this working