Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)

On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote: > > > On 5/17/17 9:22 AM, Jakub Hrozek wrote: > > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > > > Hi Folks, > > > > > > Last week I deployed freeipa on a CentOS7 VM.

Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)

On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > Hi Folks, > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > smoothly using: > > yum install ipa-server > > and > > ipa-server-install > > > My issue is with connecting a CentOS 7 client.

Re: [Freeipa-users] SSSD Cache and Service Tickets

First, I'm sorry if this mail is not helpful enough, I'm really just replying to the part I'm familiar with On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > Hi, > > I am confronted with a behaviour for which I do not have an explanation for. > > I am using NFS4 Kerberos

Re: [Freeipa-users] Users can't login on some systems.

On Fri, May 05, 2017 at 11:58:42AM +, Lakshan Jayasekara wrote: > Ipa user authentication failure on centos client. Login using a valid account > and login success for other ipa client servers. It would be great if you can > provide any hind or any modification to overcome the situation.

Re: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"

On Wed, May 03, 2017 at 09:04:05AM +0100, Brian Candler wrote: > Hi, > > I have FreeIPA set up under CentOS 7. When I use freeipa-client to add an > ubuntu 14.04 client it works fine (*). However when do the same with ubuntu > 16.04, sudo always refuses to run: > > $ sudo -s > [sudo] password

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

On Fri, Apr 28, 2017 at 07:27:20PM +0200, Tiemen Ruiten wrote: > Hello Alexander, list, > > I did get further by specifying --external=true in the ipa trust-add > command, it works now for *both* the Windows and the Samba domain: > > ipa trust-add office.rdmedia.com --type=ad --admin

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

On Fri, Apr 28, 2017 at 03:28:31PM +, Sullivan, Daniel [CRI] wrote: > Hi, Sumit, > > Thank you for taking the time to respond to me. I tried that; it did not > work. I am using sssd 1.14.0-3.el6. Any other support you (or anybody else) > could provide would be greatly appreciated. Do

Re: [Freeipa-users] How do you have users be given a local group?

On Tue, Apr 25, 2017 at 02:43:11PM -0400, g...@greg-gilbert.com wrote: > I saw this question come up way back in the archives, so I thought I'd > ask to see if there's a better way to do it. > > Basically I want users who log into my servers that run the FreeIPA > client to be given the local

Re: [Freeipa-users] ldap.conf

On Wed, Apr 12, 2017 at 09:47:06AM +0200, Jakub Hrozek wrote: > You can drop this line as well, it's the default for the AD provider. s/AD/IPA/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for m

Re: [Freeipa-users] ldap.conf

On Wed, Apr 12, 2017 at 09:30:38AM +0200, Christoph Kaminski wrote: > Hi > > are the files /etc/ldap.conf and /etc/openldap/ldap.conf for ipa client > and/or server systeme necessary? What is the function of them? They configure the openldap library. If you have an application (like ldapsearch)

Re: [Freeipa-users] ldap.conf

On Wed, Apr 12, 2017 at 09:34:59AM +0200, Christoph Kaminski wrote: > Hi > > is this ok as config for sssd on centos 7 AND 6? > > [domain/hso] > cache_credentials = True > krb5_store_password_if_offline = True > id_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt You can drop this line as

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

On Tue, Apr 11, 2017 at 10:50:34PM -0400, Tym Rehm wrote: > So I want a user "bob" to ssh into server1 as the username of "support" > with support@server1, but not let Bob ssh into support@server2. I have > Bob's ssh public key added to the support user. I can block Bob from > server1 or server2

Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master

On Mon, Apr 10, 2017 at 01:07:08PM +0200, Ronald Wimmer wrote: > On 2017-04-10 12:16, Lukas Slebodnik wrote: > > [...] > > sssd_be consumed a lot of CPU and produced a lot of I/O in the sssd cache > > directory. After following > >

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

On Mon, Apr 10, 2017 at 12:04:58AM -0400, Tym Rehm wrote: > Hey all, New user here. > > I have a user "user1" that I want to allow a couple of different users > "userX and userY" to be allowed to ssh into "server1" and "server2", but > not both servers using ssh-keys. > > So as an example. UserX

Re: [Freeipa-users] Fwd: Marking subdomain offline

On Thu, Apr 06, 2017 at 02:39:02PM -0400, Chris Dagdigian wrote: > > I see similar things in our environment where IPA is used as "glue" between > AD Forests that have a 1-way trust relationship. We believe that the root > cause has something to do with the 30+ domain controllers the IPA client >

Re: [Freeipa-users] Fwd: Marking subdomain offline

On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote: > Hi, > > My IPA<->AD trust setup experiences intermittent failures during login > events. The AD subdomain goes in an inactive/offline state and users logging > in are put into a 'delayed authentication' queue. Usually

Re: [Freeipa-users] How long should it take to propagate user role changes?

On Thu, Apr 06, 2017 at 09:11:32AM +0200, Martin Bašti wrote: > > > On 06.04.2017 01:57, Greg Gilbert wrote: > > Hey. I'm a bit new to FreeIPA, so apologies if this has already been > > addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7, > > and FreeIPA client 4.3.1 on Ubuntu

Re: [Freeipa-users] SSSD hangs on IPA master

On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote: > Hi, > > my IPA master has an AD trust (several thousand users). Since the trust has > been set up I am experiencing that I cannot login on the web interface. Even > connecting via SSH does not work or takes extremely long. When I

Re: [Freeipa-users] ipa_add_ad_memberships_get_next errors

On Mon, Apr 03, 2017 at 06:32:49PM +0300, Alexander Bokovoy wrote: > On ma, 03 huhti 2017, Orion Poplawski wrote: > > On 04/03/2017 02:10 AM, Alexander Bokovoy wrote: > > > On ma, 03 huhti 2017, Jakub Hrozek wrote: > > > > On Fri, Mar 31, 2017 at 04:07:16P

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: > Hola, > > I've reported this issue before (with a different symptom iirc), but > thought I should mention again, as I have no idea how to competently report > it to selinux. > > With SSSD/IPA in use, in a one way trust to AD,

Re: [Freeipa-users] subdomain errors

On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: > I seem to be having some issues with users/groups that may be leading to > errors in the subdomain status. Can anyone parse this for me? > > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] > (0x0080):

Re: [Freeipa-users] ipa_add_ad_memberships_get_next errors

On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote: > I'm seeing messages like this: > > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] > [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external > group memberships even after all groups have been looked up on the

Re: [Freeipa-users] Trying To Debug AD Trust Quirks

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > Hello, > > I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with > strange behavior. Some examples include: > > - Trust user's home directory sporadically getting set to '/' instead of > /home/domain/user >

Re: [Freeipa-users] Trying To Debug AD Trust Quirks

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > My other question is if there is a way to pin down a client to > [temporarily] use a specific IPA server using the ipa_server directive in sssd.conf > and specific AD server (even if > it means a firewall rule that only allows

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: > Hi, > > Thanks to dyndns_update=True parameter, SSSD service on client machine > updating host DNS entry in FreeIPA. > Everything is fine on machines which have only one IP adress on network > interface. > I have problem with

Re: [Freeipa-users] Data Provider is offline

On Wed, Mar 22, 2017 at 05:30:34PM +0100, Michaël Van de Borne wrote: > Hi all, > > So I have 2 Centos7 hosts, with same sssd and nsswitch configs. > One does find the users in IPA, and the other doesn't. > Looks like the Data Provider is offline. > I sent the SIGUSR2 signal to sssd which is

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

On Fri, Mar 17, 2017 at 01:52:17PM +, Bob Hinton wrote: > On 17/03/2017 12:48, Lukas Slebodnik wrote: > > On (17/03/17 10:40), Bob Hinton wrote: > >> On 17/03/2017 08:41, Jakub Hrozek wrote: > >>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote: > &g

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote: > Morning, > > We have a collection of hosts within prod1.local.lan. However, the > domain section of the shadow netgroups for the hosts is > mgmt.prod.local.lan. This seems to prevent sudo rules working on these > hosts unless they

Re: [Freeipa-users] Slow logins on one ipa client- due to SSS_PAM_ACCT_MGMT

On Thu, Mar 16, 2017 at 08:24:42PM +, Kilborn, Jim wrote: > Greetings, > > My first post to the forum. > > We are running centos7 with freeipa. Syncing from AD, with one linux replica. > The ipa clients are getting installed by puppet. All the clients are > performing fine, except one. I am

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Fri, Mar 17, 2017 at 08:35:42AM +1100, Lachlan Musicman wrote: > Which logs do you want from the server? NSS and domain -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > Yes. What I do would you like? Current debug levels are at 8 Logs and id output from the server and the client at the same time.. -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure > if better to report to here or sssd mailing list. Also sssd in pagure is > bare and I didn't want to sully the blank slate. ( >

[Freeipa-users] Announcing SSSD 1.15.2

nto a new tevent request * CACHE_REQ: Check the caches first * NSS: Don't set SocketUser/SocketGroup as "sssd" in sssd-nss.socket * NSS: Ensure the NSS socket is started before any other services' sockets * NSS: Don't call chown on NSS service's ExecStartPre * Ig

Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD

On Thu, Mar 09, 2017 at 11:32:35AM +0200, Alexander Bokovoy wrote: > On to, 09 maalis 2017, Jakub Hrozek wrote: > > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: > > > Hola, > > > > > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VER

Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD

On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: > Hola, > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd > (via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org > -> name.org > > I've seen some interesting behaviour. > > Being

Re: [Freeipa-users] pam_hbac for aix

On Mon, Mar 06, 2017 at 12:36:20PM +0100, Iulian Roman wrote: > On Mon, Mar 6, 2017 at 12:20 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Mon, Mar 06, 2017 at 10:59:12AM +0100, Iulian Roman wrote: > > > Hello, > > > > > > Does anyone kno

Re: [Freeipa-users] pam_hbac for aix

On Mon, Mar 06, 2017 at 10:59:12AM +0100, Iulian Roman wrote: > Hello, > > Does anyone know what is the status with the support for AIX in the > pam_hbac tool ? I've heard from a RH presentation that it is available, > although on the project site it does not seem to be supported yet. > > I

Re: [Freeipa-users] LDAP based autofs map redundancy

On Sun, Mar 05, 2017 at 02:59:39PM -0500, William Muriithi wrote: > Jakub, > > >> > >> It does look though like kerberos is not affected as all systems can > >> authenticate fine, so looks like its autofs issue alone > >> > >> This is the error I am noticing on the logs. > >> > >> Mar 2 14:18:29

Re: [Freeipa-users] Can kerberos SSSD provider be used against IPA

On Fri, Mar 03, 2017 at 07:10:40PM -0500, William Muriithi wrote: > Hello, > > I just came across this document. > > https://www.susecon.com/doc/2015/sessions/TUT19343.pdf > > If you look at page 8, that diagram imply that kerberos provider can > only be used against active directory back end.

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: > Hi Jakub, > > On 03/03/17 09:32, Jakub Hrozek wrote: > > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > >> Hi folks, > >> > >> running freeipa client 4.3.2-

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~ This is important I guess. Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them

Re: [Freeipa-users] LDAP based autofs map redundancy

On Thu, Mar 02, 2017 at 03:28:38PM -0500, William Muriithi wrote: > Afternoon, > > > I have noticed that even when a network has two IPA for redundancy, > autofs don't seem to be able to take advantage of the remaining IPA > should one of the IPA goes down. > > Is this a know issue with LDAP

Re: [Freeipa-users] Switch sudoers to IPA

On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote: > Hi Jakub, Actually that is what i am doing. i am creating the user with > same UID in IPA and then if i delete the user locally then i can > authenticate via IPA. Is there anyway i can do this without deleting the > user? This is just

Re: [Freeipa-users] Switch sudoers to IPA

On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > Hi List, > > I have sudo and normal users accessing linux systems using their private > key without IPA. I have IPA fully functioning and now i want to switch the > users from local file login to IPA. > > Any new user i create in

Re: [Freeipa-users] login/su problem on ubuntu

On Tue, Feb 28, 2017 at 06:13:42PM +0100, Karl Forner wrote: > I just registered a new computer running ubuntu to our freeIPA system. > Some users (all I tried except me) are not able to login using lightdm. > > The message on screen is "Permission denied". > On the system the user (joe) is

Re: [Freeipa-users] FreeIPA Read Only Replica

On Mon, Feb 27, 2017 at 11:19:15PM +, Andrey Ptashnik wrote: > Team, > > Is it possible to setup read only replica for use in DMZ for example? Not at the moment: https://pagure.io/freeipa/issue/5569 -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] AD Sites and Trusts

On Mon, Feb 27, 2017 at 01:50:50PM -0600, Jason B. Nance wrote: > Hello, > > I was wondering if this thread regarding AD trusts and sites is still correct: > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00214.html > > (no way to make use of AD sites) Well, you can configure

Re: [Freeipa-users] ID Mapping

On Sun, Feb 26, 2017 at 12:12:23PM -0800, Hanoz Elavia wrote: > Hey guys, > > Is it possible to disable ID mapping for AD users in a FreeIPA AD trust > setup? > > The version report is as follows: > > AD: Windows 2008 R2 > FreeIPA Server: 4.4.0-14 > FreeIPA Client: 4.4.0-14 > SSSD: 1.14.0-43 >

Re: [Freeipa-users] New user group not shown on IPA client

On Fri, Feb 24, 2017 at 12:36:03PM +0100, Gerald Zabos wrote: > Hello *, > > i just created a new user group 'it_testusers' (9068) on one of > the IPA servers and added three existing users: > > 'test' (9065) > 'ipajoin' (9061) > 'ldaptest' (9063). > > When look up the group

Re: [Freeipa-users] IPA and SSSD sudo

On Wed, Feb 15, 2017 at 02:44:18PM +0100, Troels Hansen wrote: > The same rule works as expected if defined in the local sudoers file. Then I guess this might be a bug.. > > I think the problem is that secure_path in "Options" from IPA isn't taken > into account. options should be treated

Re: [Freeipa-users] IPA and SSSD sudo

On Wed, Feb 15, 2017 at 11:04:47AM +0100, Troels Hansen wrote: > Hi there > > We have a strange problem... > > We're trying to override options in sudo rules from IPA, in this case > secure_path: > > sudo -ll reports: > > RunAsUsers: root > Options: requiretty, lecture=always,

Re: [Freeipa-users] Where in the login process is KRB5CCNAME being set

On Wed, Feb 08, 2017 at 09:59:52AM +0100, Kees Bakker wrote: > Hi, > > This is a follow-up on the problem I had with > klist: Invalid UID in persistent keyring name while getting default ccache > (See "How to enable krb5_child log" earlier this month.) > > The situation is that we have local

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

On Sun, Feb 05, 2017 at 07:47:43PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am running a freeipa server version 4.4.0 and have setup hbac rules which > work fine > > However, just on one single host , I am seeing this issue wherein it is not > allowing me ssh access. > When I check my hbac

Re: [Freeipa-users] Can too many group memberships for an AD user cause SSSD or IPA problems?

On Fri, Feb 03, 2017 at 09:54:01AM -0500, Chris Dagdigian wrote: > > I've got a case where "id @AD-DOMAIN" hangs forever after partially > resolving and I think it may because they are in way too many AD groups? I don't think id should hang totally (at the very least, there is a NSS timeout that

Re: [Freeipa-users] How to enable krb5_child log

On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote: > On 02-02-17 17:32, Jakub Hrozek wrote: > > On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: > >> Hi > >> > >> Sorry, I did search wherever I could but I couldn't find it. > >&

Re: [Freeipa-users] How to enable krb5_child log

On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: > Hi > > Sorry, I did search wherever I could but I couldn't find it. > How do I enable krb5_child debug log? I'm on an Ubuntu > system which by default writes an empty /var/log/krb5_child.log > > Is it a section in

Re: [Freeipa-users] Is WinSync A Bad Choice?

On Wed, Feb 01, 2017 at 04:19:39PM -0600, Jason B. Nance wrote: > >> - Users can't login to a Linux box using just "username" > >> (user@ad.domain is > >> used) > > > > In the current version you can use the 'default_domain_suffix' option in > > sssd.conf on the clients. In RHEL-7.4 we

Re: [Freeipa-users] Is WinSync A Bad Choice?

On Wed, Feb 01, 2017 at 03:00:55PM -0600, Jason B. Nance wrote: > Hello everyone, > > I'm about to deploy a fresh IPA domain that needs to integrate with Active > Directory. In my lab environment I've setup a trust with AD and the > following items are driving me away from using the trust: >

Re: [Freeipa-users] caching of lookups / performance problem

On Wed, Feb 01, 2017 at 02:35:00PM +, Sullivan, Daniel [CRI] wrote: > Jakub, > > Thank you for getting back to me. Yeah, I agree with what you are saying. > The problem that I’m really trying to solve is the how to get them requested > reasonably often part. A good use case for my

Re: [Freeipa-users] caching of lookups / performance problem

On Tue, Jan 31, 2017 at 08:05:18PM +, Sullivan, Daniel [CRI] wrote: > Hi, > > I figured out what was going on with this issue. Basically cache timeouts > were causing a large number of uid numbers in an arbitrarily-timed directory > listing to have expired cache records, which causes those

Re: [Freeipa-users] sudo sometimes doesn't work

On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote: > EL7.3 > Users are in active directory via AD trust with IPA server > > sudo is configured via files - users in our default "nwra" group can run > certain sudo commands, e.g.: > > Cmnd_Alias WAKEUP = /sbin/ether-wake * >

Re: [Freeipa-users] sssd doesn't cache, as it seems

> On 21 Jan 2017, at 06:46, Harald Dunkel wrote: > > On 01/20/17 18:42, Simo Sorce wrote: >> >> Is your server being used for authentication ? >> SSSD, by default, always refreshes user credentials on authentication, >> but you can use the cached_auth_timeout setting

Re: [Freeipa-users] ipa_server and ipa_backup_server failover time

(please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] >

Re: [Freeipa-users] Kerberos Clock Skew too great

ats the offset limit its actually looking for. Sorry, I'm a bit out of my depth here, the only other suggestion I have is to try kinit with KRB5_TRACE=/dev/stderr when that happens, which should at least dump which KDC is the client talking to (if you have multiple masters..) > > Thanks,

Re: [Freeipa-users] Kerberos Clock Skew too great

On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am using a Freeipa 4.2.0 server. > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And > when this happens, usually logins or new ipa-cleint-install fails. > > When I checked on one of the

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: > Sorry for the delay, was doing some troubleshooting. > > Here is what I know now: > > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu > 14.04). > > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote: > Hi, > > I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my > Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate > against the upgraded servers. It appears the problem is the

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: > Hi all,I having problems with a FreeIPA client running Ububtu Xenial. > I can authenticate OK, I get a kerberos ticket, but cannot run sudo. > I get 1 rule returned, which I expect. > Many thanks,James Harrison I would check if

Re: [Freeipa-users] Unable to resolve AD users from IPA clients

On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote: > Hi, > > I have trouble with resolving AD users from my IPA clients. > > Environment: 2x IPA server with trust into AD - both IPA servers and clients > running latest rhel 7.3. > > IPA domain: vs.example.com > AD domain:

Re: [Freeipa-users] Any good CLI methods for testing connectivity from IPA replica to remote AD servers?

On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote: > > Hi folks, > > I may have network blocks between one of my IPA replicas and the *many* > remote AD servers that need to be queried but I can only see evidence of > this in the authentication failures and the debug level logging.

Re: [Freeipa-users] Unable to sudo with just one user on only a few servers

On Sat, Dec 31, 2016 at 07:43:20AM +, pgb205 wrote: > I have followed troubleshooting procedure outlined hereTroubleshooting - > FreeIPA > > > | > | > | > | || > >| > > | > | > | | > Troubleshooting - FreeIPA >| | > > | > > | > > > Additionally I

Re: [Freeipa-users] replica running trust-agents can't resolve AD users - which of these sssd errors should I be focusing on?

On Thu, Dec 22, 2016 at 11:34:01PM +0200, Alexander Bokovoy wrote: > On to, 22 joulu 2016, Chris Dagdigian wrote: > > Hi folks, > > > > Summary: Replica w/ Trust agents can't resolve AD users. Not sure which > > debug_level=log error I should focus on. Would appreciate extra eyeballs > > on this

Re: [Freeipa-users] Upgrade to 4.4.0 Breaks login.

On Thu, Dec 22, 2016 at 08:38:38PM -0500, Dan Kemp wrote: > Hello, > > I recently ran an upgrade of my freeipa servers, and most of the clients to > 4.4.0 (Current with CentOS 7 repos) from version 4.2.0. After the install > and server update, I can no longer log in to update clients via ssh.

Re: [Freeipa-users] Sudo rule implementation

On Tue, Dec 20, 2016 at 01:19:15PM +0300, Ben .T.George wrote: > Hi List, > > please help me to implement sudo rules. > > i have did below steps and still not working for me. > > 1. created "Sudo Command Groups" > 2. Added some command (/bin/yum) and included in sudo group > 3. created "sudo

Re: [Freeipa-users] How to implement sudo rules

I hope this helps pinpoint the issue: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > On 18 Dec 2016, at 10:04, Ben .T.George wrote: > > Hi List, > > please help me to implement sudo rules. > > i

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

On Wed, Dec 07, 2016 at 06:19:06PM +, James Harrison wrote: > Hi all, > > I am trying to authenticate an ubuntu Precise (12.06) fully patched system. > Its enrolled into a FreeIPA server. The following trace is the output of > syslog auth sssd/*.log and full debug (-ddd) from the sshd

Re: [Freeipa-users] mount lookup failure getautomntent_r

On Sun, Nov 27, 2016 at 05:34:20PM -0500, William Muriithi wrote: > Jakub, > > Thanks for response > On 27 November 2016 at 15:43, Jakub Hrozek <jhro...@redhat.com> wrote: > > > >> > >> I have noticed an error that pop up as the final line after r

Re: [Freeipa-users] mount lookup failure getautomntent_r

> On 27 Nov 2016, at 18:31, William Muriithi wrote: > > Hello, > > I have noticed an error that pop up as the final line after running > this command " > automount -m". I suspect its related to selinux, but haven't seen how > to fix it from the google search this

Re: [Freeipa-users] AD Trust users not resolving on clients: ipa_get_*_acct request failed

On Wed, Nov 23, 2016 at 05:58:58PM +1100, Robert Sturrock wrote: > Hi All. > > I’m having a problem getting trust users to resolve on *any* IPA client (this > _was_ working well and I’m not sure what’s changed that may have caused it to > start failing - although we have recently updated to IPA

Re: [Freeipa-users] Is there an simple way to add in sudo time window options in FreeIPA?

> On 18 Nov 2016, at 19:12, Robert Kleinberg wrote: > > Would like to establish valid sudo usage windows with sudonotbefore and > sudonotafter options. However, I did not see an easy way to set this up > other than via an sudo options text entry line. Is there

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > >I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) >

Re: [Freeipa-users] SUDO and group lookup in AD trust

and can't see > any patched being added since end September, and in particular a patch for > RHBZ# 1371152 in the SSSD 1.14 release ? I'm not completely sure which release notes are you referring to, but this bug was fixed in sssd-1.14.0-32.el7. It's also listed in the changelog: * Fri Se

Re: [Freeipa-users] Remove AD domain in auth commands

On Fri, Nov 04, 2016 at 11:04:28AM +, James Harrison wrote: > Hello, > I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 > with its AD schema emulating a Windows 2012 system > I have established a trust between the two and it appears to work. I can > reference a user

Re: [Freeipa-users] Service discovery and selection for IPA

On Tue, Nov 01, 2016 at 06:44:46PM -0400, Jake wrote: > Hey All, > Quick question on IPA Service discover and selection (ldap/kerberos in ad > trust). > > Do IPA clients ping results of SRV records to determine which server they > send requests (for ldap/kerberos specifically)? > > I have 8

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote: > Morning Jakub, > > >> However, I would like to tune this configuration to drop the domain > >> component of the user and group names. I tried to do this by adding > >> these settings to the [sssd] section in sssd.conf on the

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > >

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student

Re: [Freeipa-users] Unable to resolve AD users from IPA client

On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains

Re: [Freeipa-users] diskless workstations in an IPA domain

On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote: > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > > Thank you for this information. Yes, /tmp is writable. > > > > My problem is : access are sometimes definitively refused for random > > user > > who

Re: [Freeipa-users] diskless workstations in an IPA domain

On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random > user > who wants to log in diskless workstations. > But if this banned user

Re: [Freeipa-users] diskless workstations in an IPA domain

On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > Hi everybody, > > What is the best practice to enroll diskless Fedora24 workstations > (under > stateless Linux) into a IPA domain ? > Each diskless workstation mounts its filesystem in RO mode from a single >

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote: > After further testing, I've discovered that the dev system wasn't working > as well as I thought it was: HBAC and sshd don't seem to be playing well > together on one server, but fine on the other? > > ie, I can run the same

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote: > Thanks Florence and Rob! The replica worked after adding the certs during > the replica preparation. > > Now I got several IPA clients installed with user authentication(ssh login > with the users in IPA) working after some work.

Re: [Freeipa-users] HBAC rules stop working

On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote: > server: > ipa-server-4.2.0-15.sl7_2.19.x86_64 > sssd-1.13.0-40.el7_2.12.x86_64 > > client: > sssd-1.14.1-3.el7.centos.x86_64 > > AD trust - users are in AD. HBAC rule in place for client to allow a user > to login/ssh/su/etc. >

Re: [Freeipa-users] external groups and /etc/group

On Thu, Sep 29, 2016 at 08:01:59PM -0400, Rusty Shackleford wrote: > On Thu, Sep 29, 2016 at 4:47 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > I think you are looking for: > > https://sourceware.org/glibc/wiki/Proposals/GroupMerging > > > >

Re: [Freeipa-users] external groups and /etc/group

On Thu, Sep 29, 2016 at 04:35:58PM -0400, Rusty Shackleford wrote: > If I create an external group in freeIPA and add a user to that group, does > that mean if that group exists on a host in /etc/group that the user will > be a member of that group on that host? I've been trying to achieve that >

Re: [Freeipa-users] Sudo Rule not working

On Thu, Sep 29, 2016 at 08:22:03AM +, Deepak Dimri wrote: > Hi All, > > I have added sudo rule having allowed command for sudo su for a test user. > When i login with this test user to my IPA client (ubuntu). I am getting a > message that "the user is not in the sudoers file. This

Re: [Freeipa-users] AD users can't login to IPA client

On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote: > Hello, > > I'm having troubles with AD users authentication on IPA client. > I have 3 VMs in my test inveronment: > win-dc.windc.local 10.1.97.122 - AD DC server 2012R2 > fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA >

Re: [Freeipa-users] login auth fails then success

On Tue, Sep 20, 2016 at 02:03:38PM +, Larry Rosen wrote: > Thanks, that explains a lot (I didn't catch the difference in auth services). > Would this be mitigated by putting sss in front of files in nsswitch.conf)? > > /etc/nsswitchconf: > passwd: files sss > shadow: files sss >

  1   2   3   4   5   6   7   8   9   >