Hello,
You may need to increase the debug level to 9 and look in the
sssd_.log for failures after the failed login attempt - i
would look in between log messages 'Got request for bobt...' and
'Backend returned' messages
https://fedorahosted.org/sssd/wiki/Troubleshooting
You can also send th
I've set up a freeipa server on a centos 7 machine and have successfully
configured a 2-way trust between it and our active directory domain
controller. I've also installed ipa-client on an ubuntu 14.04 machine and
have run ipa-client-install, which has apparently successfully joined the
FreeIPA do
First off, let me say THANK YOU to all of you who've helped make FreeIPA
what it is. I think it's a fantastic project and it's amazing what it has
achieved.
Second off, I'm still quite new to FreeIPA, especially the internals. This
includes Kerberos. I'm also very very limited at Python (I come
Rob,
One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
gets SEC_ERROR_UNTRUSTED_ISSUER !
It would be nice to have an IPA tool to update all certificates in all
required places.
Also, why would I need to add CA that already in system ca-trust to the
private IPA nssdb
On Tue, Aug 09, 2016 at 03:29:37PM +0200, Troels Hansen wrote:
> - On Aug 9, 2016, at 3:16 PM, Jakub Hrozek jhro...@redhat.com wrote:
>
> >>
> >> What does "Cannot handle password prompts" mean? the only thing I can find
> >> is
> >> some sssd krb5 commits looking to be related to password c
On 08/08/2016 03:28 PM, Martin Basti wrote:
>
>
> On 08.08.2016 13:28, Harald Dunkel wrote:
>> Hi Martin,
>>
>> On 08/08/2016 09:41 AM, Martin Basti wrote:
>>> Hello, this is probably issue https://fedorahosted.org/389/ticket/48388
>>>
>>> It was fixed, but IMO not backported to centos7.2
>>>
>>>
- On Aug 9, 2016, at 3:16 PM, Jakub Hrozek jhro...@redhat.com wrote:
>>
>> What does "Cannot handle password prompts" mean? the only thing I can find is
>> some sssd krb5 commits looking to be related to password change?
>
> I'm not sure this is related, can you paste more context?
Actuall
Please check the FreeIPA training presentation. There are more details for
this. TLDR, you will need to create one Python plugin to get this into API/CLI
and one Web UI plugin if you also want to extend Web UI. The presentation above
has some examples.
On 08/09/2016 02:20 PM, Deepak Dimri wrote:
>
On Tue, Aug 09, 2016 at 03:13:25PM +0200, Troels Hansen wrote:
> At least for some users
>
> One user failing:
>
> (Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360 [unpack_buffer]
> (0x0100): cmd [249] uid [1349930179] gid
> [1349930179] validate [true] enterprise principal [false] off
At least for some users
One user failing:
(Tue Aug 9 14:41:37 2016) [[sssd[krb5_child[1360 [unpack_buffer] (0x0100):
cmd [249] uid [1349930179] gid
[1349930179] validate [true] enterprise principal [false] offline [true] UPN
[h...@net.dr.dk]
(Tue Aug 9 14:41:37 2016) [[sssd[krb5_chil
- On Aug 9, 2016, at 2:09 PM, Jakub Hrozek jhro...@redhat.com wrote:
>>
>> So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) but
>> only on the server, but not on a pure IPA client, but will work in 1.14.0 ?
>
> I would not recommend this setting on the server, eve
Ok, got it, Martin
One more query on this.
I have extended the ObjectClass under inerorgperson and added the custom
attributes successfully. i could add my newly custom ObjectClass under "default
user object class" tab of my FreeIPA configuration. But then the question how
do i use these attribu
- On Aug 9, 2016, at 1:57 PM, Jakub Hrozek jhro...@redhat.com wrote:
>>
>> If I set it
>> "full_name_format = %1$s"
>
> Yes, This only works with 1.14.0 or newer.
>>
So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) but
only on the server, but not on a pure IPA cli
On Tue, Aug 09, 2016 at 02:04:21PM +0200, Troels Hansen wrote:
> - On Aug 9, 2016, at 1:57 PM, Jakub Hrozek jhro...@redhat.com wrote:
>
> >>
> >> If I set it
> >> "full_name_format = %1$s"
> >
> > Yes, This only works with 1.14.0 or newer.
> >>
>
> So, I currently works in the current RedH
On Tue, Aug 09, 2016 at 01:45:27PM +0200, Troels Hansen wrote:
> Think it was a combination af multiple things, without ever really figuring
> out what I have now made it work.
>
> Mainly, I think it had to do with the "full_name_format" parameter, which
> seems to cause problems if being set on
Think it was a combination af multiple things, without ever really figuring out
what I have now made it work.
Mainly, I think it had to do with the "full_name_format" parameter, which seems
to cause problems if being set on the IPA client?
If I set it
"full_name_format = %1$s"
I'm unable to lo
On Tue, Aug 09, 2016 at 12:34:04PM +0200, Troels Hansen wrote:
> Hi,I have an sssd client which is currently causing problems when looking up
> IPA / AD users.
>
> # getent passwd drext...@net.dr.dk
> returns nothing.
>
> # getent passwd ad...@linux.dr.dk
> ad...@linux.dr.dk:*:1:1:ad
Hi,I have an sssd client which is currently causing problems when looking up
IPA / AD users.
# getent passwd drext...@net.dr.dk
returns nothing.
# getent passwd ad...@linux.dr.dk
ad...@linux.dr.dk:*:1:1:admin admin:/home/admin:/bin/bash
works, so it can see the IPA domain.
tried
Hmm, can't get it to work, but right now it looks like I have other
problems..
I'll try to follow up on this if the problem continues when I get the other
problems solved.
>
> Can you clear the caches on the client? The client receives the principals
> from the server the same way as it re
Hi Deepak,
This console is not available for regular or shipped with FreeIPA (AFAIK), it
is only included in the Red Hat Directory Server product. With FreeIPA, you
will need to extend the schema with CLI tools (ldapmodify) as indicated in the
presentation that Martin Basti shared.
Martin
On 08/
Thanks Martin, This helps!
i also like this link
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#extending-the-schema
would you know how can i access "Directory Server Console" what file i need to
run to open it how its given
On Tue, 2016-08-09 at 10:16 +0200, Jakub Hrozek wrote:
> On Tue, Aug 09, 2016 at 07:12:30AM +, Tony Brian Albers wrote:
> > Hi guys,
> >
> > I'm working on getting ambari from IBM BigInsights working using sudo in
> > FreeIPA, and I've come across the following(there are a few of these):
> >
On Tue, Aug 09, 2016 at 07:12:30AM +, Tony Brian Albers wrote:
> Hi guys,
>
> I'm working on getting ambari from IBM BigInsights working using sudo in
> FreeIPA, and I've come across the following(there are a few of these):
>
> Cmnd_Alias BIGSQL_SERVICE_AGNT=
>
> /var/lib/ambari-agen
On 09.08.2016 10:08, Deepak Dimri wrote:
Hi All,
I want to extend my FreeIPA Directory Scheme - want to add a new
ObjectClass and add few attributes to existing person ObjectClass. I
see lot of places it is mentioned i can do it through 389-console
command but i dont find it in my freeIPA s
On Tue, Aug 09, 2016 at 08:39:15AM +1000, Lachlan Musicman wrote:
> We are seeing SSSD in a failed state at random intervals.
>
> Using the 1.14.0 COPR repo on Centos 7, FreeIPA 4.2
>
> Unfortunately it's not something we want to reproduce and I'd turned the
> debug logs off because of their size
Hi All,
I want to extend my FreeIPA Directory Scheme - want to add a new ObjectClass
and add few attributes to existing person ObjectClass. I see lot of places it
is mentioned i can do it through 389-console command but i dont find it in my
freeIPA server. I am getting ObjectClass not found err
Hi guys,
I'm working on getting ambari from IBM BigInsights working using sudo in
FreeIPA, and I've come across the following(there are a few of these):
Cmnd_Alias BIGSQL_SERVICE_AGNT=
/var/lib/ambari-agent/cache/stacks/BigInsights/*/services/BIGSQL/package/scripts/*
Does anyone know ho
27 matches
Mail list logo