Re: [Freeipa-users] Using local sudoers file

On Mon, Oct 28, 2013 at 11:23:05AM -0500, cbul...@gmail.com wrote: > I would like to continue using sudoers file for a while before to migrate it > to freeipa. > I changed nsswitch.conf to use sudo just from file but when I try some > command that needs sudo privileges I get the error: > > sudo:

Re: [Freeipa-users] Authenticating sudo with ipa on Centos

On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote: > Andrew Holway wrote: > >>It is a bit strange that your ipa_domain and ipa_hostname are the same. I > >>think the domain should be just local. > >> > >>I'd run klist -kt /etc/krb5.keytab to see what principals are in there. > > > >ipa

Re: [Freeipa-users] access denied ssh

On Tue, Sep 24, 2013 at 09:38:49PM +0400, Михаил А wrote: > ok, all sssd logs > > > 2013/9/24 Jakub Hrozek > > > On Tue, Sep 24, 2013 at 03:00:22PM +0400, Михаил А wrote: > > > [sssd] > > > services = nss, pam, ssh > > > config_file

Re: [Freeipa-users] Connect OpenDirectory to FreeIPA

On Fri, Sep 27, 2013 at 07:56:24PM -0400, bwellsnc wrote: > I have a project that requires that I try to connect Apple OpenDirectory to > FreeIPA. We have several macs on site and it would be easier to control > access to theses using OpenDirectory vs FreeIPA. I want to use FreeIPA for > all othe

Re: [Freeipa-users] zeroconf/bonjour & FreeIPA

On Wed, Sep 25, 2013 at 09:07:17AM +0200, Christian Horn wrote: > On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote: > > On 25.9.2013 08:20, Christian Horn wrote: > > > > > >Hm.. another nice idea would be to announce services via > > >zeroconf/bonjour. I guess effectively its the same a

Re: [Freeipa-users] access denied ssh

On Tue, Sep 24, 2013 at 03:00:22PM +0400, Михаил А wrote: > [sssd] > services = nss, pam, ssh > config_file_version = 2 > debug_level = 5 > domains = ipa.sys.local Please put the debug_level directive to the [domain] section and then attach /var/log/sssd/sssd_$domain.log _

Re: [Freeipa-users] Odd "dereference processing failed : Input/output error"

On Mon, Sep 23, 2013 at 10:19:13AM +1000, craig.free...@noboost.org wrote: > Hi, > > Spec: > Fedora release 19 > * freeipa-client-3.3.0-2.fc19.x86_64 > * sssd-ipa-1.11.0-0.2.beta2.fc19.x86_64 > > I've got a PC that keeps crashing The symptoms below don't indicate a crash, do you actually see a

Re: [Freeipa-users] Incorrect user information

On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: > Of course, I would imagine that since the GECOS field is set upon account > creation based on the values provided for first and last name, and since > GECOS is not a provided field in the UI for user attributes, that GECOS > should b

Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

On Thu, Sep 12, 2013 at 04:18:49PM +0300, Thomas Raehalme wrote: > Hi! > > On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek wrote: > > I was just referring to fact, that when a system or application uses LDAP > > as an > > identity and authentication source, it often use simple LDAP Bind operation

Re: [Freeipa-users] Using subdomains (or dots) in hostnames

On Thu, Sep 12, 2013 at 02:54:10PM +0300, Thomas Raehalme wrote: > Hi! > > >> Let's say we're using domain example.com. Adding clients a.example.com > >> and b.example.com was smooth. Adding client a.sub1.example.com also > >> had no problems until I tried to get sudoers from the IPA server > >> (

Re: [Freeipa-users] Date of last access attribute

On Fri, Sep 13, 2013 at 07:47:46AM -0600, Rich Megginson wrote: > On 09/13/2013 03:16 AM, Marina Moreda wrote: > >Hi all, > > > >I need to add in my LDAP an attribute to save the date of last > >access to mail account, or something similar, to know when an user > >has stopped using his mail account

Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

On Thu, Sep 12, 2013 at 03:54:59PM +0300, Thomas Raehalme wrote: > Hi! > > On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek wrote: > > > When using FreeIPA LDAP as identity source, you could ideally use > > Kerberos/GSSAPI authentication. But if that is not available, you can use > > simple LDAP bi

Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

On Thu, Sep 12, 2013 at 02:28:45PM +0200, Martin Kosek wrote: > # ldapadd -h `hostname` -D "cn=Directory Manager" -x -w kokos123 ^^ 0wn3d :-)

Re: [Freeipa-users] Clients locked screens freeze or crash problem

On Wed, Sep 11, 2013 at 08:11:24AM +, Johan Petersson wrote: > Hi, > > I have a IPA test network based on Red Hat 6.4 Servers and Clients where home > directories are shared through NFS4 with krb5p. > Autofs is handled by SSSD and everything works great except when the user do > not logout a

Re: [Freeipa-users] IPA AD Trust issue

> >1) IPA Client Login issue. > >In IPA client, if Windows AD user want to login, It need to type full name > >such as 'userA@win_ad.com'. How do I let Windows AD user logon only with > >their username? That means only use 'userA' to logon IPA Client PC rather > >than 'userA@win_ad.com' ? > Not su

Re: [Freeipa-users] Incorrect user information

On Wed, Sep 04, 2013 at 11:14:50AM -0500, cbul...@gmail.com wrote: > Hi Jakub, > > > Thanks for your time and tips about sssd cache! > I'm sorry about the late response, I didn't flag your response when it came back.. > I did the test and let me explain what I got: > > - After step 4 I can se

Re: [Freeipa-users] freeipa and sudo

On Mon, Sep 09, 2013 at 11:35:52AM +0200, Pavel Březina wrote: > >This problem exists with the latest updates on both Fedora 18 and Fedora 19. > > > >I also discovered that libsss_sudo.so is missing from Fedora 18 > >installations. > > It needs to be installed separately by installing libsss_sudo

Re: [Freeipa-users] freeipa and sudo

On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: > > > On 09/07/2013 02:11 PM, Christian Horn wrote: > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: > > >> Are [1] and[2] still the current and best sources of inf

Re: [Freeipa-users] Incorrect user information

On Wed, Sep 04, 2013 at 05:31:34PM +0200, Jakub Hrozek wrote: > On Wed, Sep 04, 2013 at 10:18:13AM -0500, cbul...@gmail.com wrote: > > Hi Chris, > > > > Thanks for your reply!I forgot to mention that we tried sss_cache > > (sss_cache -u user_id and sss_cache -U)

Re: [Freeipa-users] Incorrect user information

On Wed, Sep 04, 2013 at 09:40:29AM -0500, cbul...@gmail.com wrote: > Hi, > > We have a freeipa server (RedHat 6.3, freeipa:3.0.0-26) and freeipa > client (RedHat 5.9, freeipa client 2.1.3.-5) working in our test testing > scenario without further problems. We are able to use SUDO, HBAC etc. > Our

Re: [Freeipa-users] Incorrect user information

On Wed, Sep 04, 2013 at 10:18:13AM -0500, cbul...@gmail.com wrote: > Hi Chris, > > Thanks for your reply!I forgot to mention that we tried sss_cache > (sss_cache -u user_id and sss_cache -U) in other RH6 ipa client and it > did not work...If we delete manually all /var/lib/sss/db we can see t

Re: [Freeipa-users] Incorrect user information

On Wed, Sep 04, 2013 at 10:47:49AM -0400, Chris Hudson wrote: > You may want to check out the sss_cache package in the sssd-tools package. It > looks to be in the base channel for RHEL5 Server and optional channel for > RHEL6 Server. This tool will allow you to invalidate/manipulate the sssd > c

Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian

On Sun, Sep 01, 2013 at 09:20:30PM +0300, Timo Aaltonen wrote: > > 3) Someone needs to own packages in Debian and maintain them, someone > > with good knowledge of the distro and time to take ownership of about 50 > > packages. > > I'm doing this on my spare time, which has meant obvious delays in

Re: [Freeipa-users] setting up a client on Debian squeeze

On Fri, Aug 30, 2013 at 03:54:54PM +0200, Michał Dwużnik wrote: > Ok, I somehow assumed certs are very much needed for ldaps... > Well, for most operations the SSSD uses GSSAPI authentication. Only when passwords are migrated, we do an LDAP bind with StartTLS. > In the meantime, I set up a debia

Re: [Freeipa-users] setting up a client on Debian squeeze

On Thu, Aug 29, 2013 at 10:04:43PM -0400, Rob Crittenden wrote: > Michał Dwużnik wrote: > >Sorry for quick continuation... > > > >Certificate added to nss DB in /etc/pki > >certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt > > > >sssd configured according to > >http://docs.fedoraproje

Re: [Freeipa-users] Using subdomains (or dots) in hostnames

On Mon, Aug 19, 2013 at 04:05:40PM +0300, Thomas Raehalme wrote: > Hi! > > We are in the process of deploying FreeIPA in our virtual environment. > So far things are working smoothly and I am really impressed by the > solution! > > One question has risen as we have added our first clients to the

Re: [Freeipa-users] AD user log in

On Wed, Aug 07, 2013 at 06:46:48PM +, Armstrong, Kenneth Lawrence wrote: > I have a test environment set up where we have a trust between the IdM domain > and the AD domain. When we go to log into an IdM client with an AD user, we > have to use the format of: > > ADDOMAIN\\usern...@idm.clie

Re: [Freeipa-users] IPA clients doesn't see all user's group

On Wed, Jul 31, 2013 at 03:55:06PM +0300, Vitaly wrote: > Jakub, many thanks and I'm really sorry for so stupid questions! > yes, you're right, group3 didn't have posix GID :-) > > Vitaly No problem, I'm glad the issue got sorted out :-) I think that recent versions of the SSSD print a more user

Re: [Freeipa-users] IPA clients doesn't see all user's group

On Wed, Jul 31, 2013 at 03:27:41PM +0300, Vitaly wrote: > Jakub, many thanks! > > >Interesting, can you run ipa user-show --all --raw myuser and check if > >all three groups are visible as values of the "memberof" attribute? I > >suspect they will.. > Yes, all 3 groups are visible > > >If they do

Re: [Freeipa-users] IPA clients doesn't see all user's group

On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote: > >What exact SSSD version is this? > 1.5.1-58.el5 and 1.5.1-66.el6_2.3 The .el5 version looks OK to me, but you should really upgrade from 6.2.. > > >Was user added to group3 recently so that the cache might have stale records? > Originall

Re: [Freeipa-users] IPA clients doesn't see all user's group

On Wed, Jul 31, 2013 at 02:04:27PM +0300, Vitaly wrote: > I have IPA2 on RHEL6 server and RHEL/CENTOS 5/6 clients. > For some users Linux doesn't see all groups. For example: > > #ipa user-show myuser > ... > Member of groups: group1,group2,group3 > > #id myuser > uid=1815600038(myuser) gid

Re: [Freeipa-users] sudo rules user and host group bugs?

On Wed, Jul 17, 2013 at 04:39:32PM +, Tovey, Mark wrote: > > Okay, I get it (pardon my obtuseness). > > host1-> getent netgroup hgroup1 > hgroup1 (host1.my_domain.com, -, my_domain.com) > > So netgroups are working. The host group is defined in IPA and gete

Re: [Freeipa-users] sudo rules user and host group bugs?

etgroup data? > Thanks, > -Mark > > > > Mark Tovey - UNIX Engineer | Service Strategy & Design > UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > mto...@go2uti.com | O / C +1 503 95

Re: [Freeipa-users] sudo rules user and host group bugs?

On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: > > > We are using sssd. The sssd.conf file is mostly unchanged from how it was > installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote: > On 07/09/2013 06:01 PM, KodaK wrote: > > > > > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal > > wrote: > > > > On 07/09/2013 03:57 PM, KodaK wrote: > >> > >> > >> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crit

Re: [Freeipa-users] Virtual Machines??

On Mon, Jul 08, 2013 at 03:49:03PM +0200, Schmitt, Christian wrote: > Hello, is there currently a good way to install FreeIPA or IdM in virtual > machines? > Currently we having some Windows Hyper-V Hypervisors since we are planning > to buy some Dell Hardware that can't run Linux yet, the Dell VRT

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

On Tue, Jun 25, 2013 at 10:34:36PM +0200, Jakub Hrozek wrote: > On Tue, Jun 25, 2013 at 08:19:11PM +, JR Aquino wrote: > > On Jun 25, 2013, at 2:52 AM, Martin Kosek > > wrote: > > > > > On 06/24/2013 03:36 PM, Rob Crittenden wrote: > > >> Dean Hunt

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

On Tue, Jun 25, 2013 at 08:56:55AM -0500, Dean Hunter wrote: > Yay, It works! Once I thumb finger the configuration files correctly. > > May I request that y'all start alphabetizing entries where sequence is > not important so that it is easier for humans to find a single entry: > > [dean@desktop

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

On Tue, Jun 25, 2013 at 08:19:11PM +, JR Aquino wrote: > On Jun 25, 2013, at 2:52 AM, Martin Kosek > wrote: > > > On 06/24/2013 03:36 PM, Rob Crittenden wrote: > >> Dean Hunter wrote: > >>> On Mon, 2013-06-24 at 09:07 +0300, Alexander Bokovoy wrote: > On Sun, 23 Jun 2013, Dean Hunter wr

Re: [Freeipa-users] Auto-Mount Home Directory for Local Users?

On Thu, Jun 20, 2013 at 12:36:16PM -0500, Dean Hunter wrote: > On Wed, 2013-06-19 at 14:00 -0400, Rob Crittenden wrote: > > > Jakub Hrozek wrote: > > > On Wed, Jun 19, 2013 at 02:42:55PM +0200, Jakub Hrozek wrote: > > >> On Tue, Jun 18, 2013 at 06:49:05PM -0500,

Re: [Freeipa-users] Auto-Mount Home Directory for Local Users?

On Wed, Jun 19, 2013 at 02:42:55PM +0200, Jakub Hrozek wrote: > On Tue, Jun 18, 2013 at 06:49:05PM -0500, Dean Hunter wrote: > > Thank you for your response. As you suggested I > > checked /etc/nsswitch.conf. ipa-client-automount left the line looking > > like: > >

Re: [Freeipa-users] Auto-Mount Home Directory for Local Users?

On Tue, Jun 18, 2013 at 06:49:05PM -0500, Dean Hunter wrote: > Thank you for your response. As you suggested I > checked /etc/nsswitch.conf. ipa-client-automount left the line looking > like: > > automount: sss files If it did, then I would consider it to be ipa-client-automount, I think we shoul

Re: [Freeipa-users] Sudo Commands and groups confusion

On Fri, Jun 14, 2013 at 01:36:16PM +0100, James Hogarth wrote: > > Is this in RHEL based systems only ? On Ubuntu there seems to be still > > issues. > > > > A full printout of the config file(s) would be nice to see as most people > > write other things down they have working, but the working ones

Re: [Freeipa-users] Sudo Commands and groups confusion

On Fri, Jun 14, 2013 at 12:12:14PM +0100, James Hogarth wrote: > > Also if you're using service DNS records, you can either leave the URIs > > blank and default to service resolution or explicitly use service > > resolution along with a hardcoded name: > > > > ldap_uri = _srv_, ldap://ldap.example.

Re: [Freeipa-users] Sudo Commands and groups confusion

On Thu, Jun 13, 2013 at 01:26:54AM +0300, Alexander Bokovoy wrote: > On Wed, 12 Jun 2013, Sina Owolabi wrote: > >Thank you for the reply Alex, though I'm a little confused that I am > >answering the correct email. > >I have taken a look at the example sssd.conf you advised, and I'm a little > >curi

Re: [Freeipa-users] Sudo Commands and groups confusion

On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote: > Hi, > > The package as you described is installed, the configlines are set as you > show it. > > This is what I see in auth.log, my sssd_sudo does not show a thing: > > Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication fail

Re: [Freeipa-users] why default shell /bin/sh

On Thu, Jun 06, 2013 at 10:30:34AM -0400, Rob Crittenden wrote: > Natxo Asenjo wrote: > >hi, > > > >just interested. We have noticed that ldap users have this PS1 envvar: > >PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$ > > > >This is a confusing moment. Changing the shell to /bin/bash solves th

Re: [Freeipa-users] Limiting Host access by UID/GID

On Wed, Jun 05, 2013 at 03:56:25PM -0700, Chandan Kumar wrote: > Sorry for late reply. Thanks for helping out. Yes after deleting the sssd > cache from /var/lib it does not allow user groups outside min/max_id. > Great, I'm glad it works for you now. _

Re: [Freeipa-users] sudo rules user and host group bugs?

On Wed, Jun 05, 2013 at 10:20:24AM -0500, KodaK wrote: > I know this has been discussed before, but I didn't see anything with a > cursory search. > > There are bugs when using user and host groups with sudo rules. I have to > split out my users and hosts into individual entries. I'm running ipa

Re: [Freeipa-users] Limiting Host access by UID/GID

e = False > min_id=5000 > max_id=5010 > enumerate = False > entry_cache_timeout=3 > > Package Info: > Client; > sssd-client-1.9.2-82.7.el6_4.x86_64 > > Server: > ipa-server-2.2.0-16.el6.x86_64 > > Thanks > Chandan > > On Friday, May 31, 2013, Jakub Hr

Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts

On Mon, Jun 03, 2013 at 06:58:35AM +0200, Natxo Asenjo wrote: > On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham > wrote: > > > >> What I see is: > >> > >> fatal: Access denied for user admin by PAM account configuration > >> > >> What about disabling selinux? > > > > > > Whoops, I probably shoul

Re: [Freeipa-users] Limiting Host access by UID/GID

On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote: > On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote: > > On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: > > > On 05/30/2013 06:52 PM, Chandan Kumar wrote: > > > > Hello, > > > >

Re: [Freeipa-users] Limiting Host access by UID/GID

On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: > On 05/30/2013 06:52 PM, Chandan Kumar wrote: > > Hello, > > > > As part of migration from passwd/shadow to IPA, I want to roll out > > IPA/SSSD based password first for a small number of users and then for > > all. (same goes with host.

Re: [Freeipa-users] sssd - sudo issues

On Tue, May 21, 2013 at 11:34:21AM -0400, Duncan R. Green wrote: > Well, I figured it out... > > "bindpwd" > > D'oh! 3 days troubleshooting a typo :P > We're glad your setup works now! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://w

Re: [Freeipa-users] sssd - sudo issues

On Mon, May 20, 2013 at 03:58:11PM -0400, Dmitri Pal wrote: > On 05/20/2013 12:33 PM, Duncan R. Green wrote: > > I ask upon thee, oh great ipa gurus... > > > > I've got ipa set up with sudo, and have it successfully working on > > several hosts. > > > > On one particular host, though, I'm having is

Re: [Freeipa-users] Ubuntu 13.04 logging in to freeipa

On Wed, May 15, 2013 at 12:43:02PM -0400, Willie Slepecki wrote: > I have been debugging for a few days trying to figure out why my 13.04 > upgraded machine will not log in to my freeipa server. the only thing i > find odd is since i updated i began getting these in my sssd.log file > > (Tue May 1

Re: [Freeipa-users] Automount issues

On Wed, May 15, 2013 at 06:37:03AM -0400, Joseph, Matthew (EXP) wrote: > Anyone have any suggestions or run into this problem? > I just don't see where my configuration is wrong. I removed the /& at the end > of the mount and it mounts all of the directories but it's still mounting > them as /hom

[Freeipa-users] Active Directory Integration test day invitation

The realmd and SSSD development teams are happy to invite you to a Fedora Test Day that will be held on Thursday, May 9th. We invite you to take part in testing of the new features that will become available in upcoming upstream releases of realmd and SSSD and would be a part of Fedora 19. The fea

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

On Thu, May 02, 2013 at 01:03:07PM +0200, Axel Berlin wrote: > It dont come anything in the logs when i do it on the client. > > Got any other tips? > > You shouldn't see anything in the logs. kinit is a simple command-line utility. You should either see an error message printed to stdout or no

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: > On the client it dont return anything but on the server is returns following > > kinit: Keytab contains no suitable keys for host/ > seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials > > But It is on the clie

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: > Here is the logs output when I do > > id username > > sssd_d1.gameop.net.log > > (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): > Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net >

Re: [Freeipa-users] nsupdate refused

On Sat, Apr 27, 2013 at 02:34:27PM -0430, Loris Santamaria wrote: > Hi > > El sáb, 27-04-2013 a las 10:35 -0400, Guy Matz escribió: > > Hi! Anyone out there know how to get nsupdate to work with an IPA > > controlled DNS server? I have followed the instructions at > > http://freeipa.org/page/D

Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO

On Wed, Apr 24, 2013 at 01:20:15PM -0400, Aly Khimji wrote: > Hey, > > Thanks for the quick reply. > > See below > > Client > Hi Aly, I no longer remember the details, but according to the git history, we did some fixes for trusted AD users: https://fedorahosted.org/sssd/ticket/1616 I'm addi

Re: [Freeipa-users] IPA not authenticating - SSSD issue maybe

On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: > There are some odd errors in ldap_child.log but it seems to cover a > later period than the other logs (not being able to bind using its > keytab is a bad thing). > > I think what you'll want to do, and this may be relatively tough,

Re: [Freeipa-users] sudo made a bit easier to configure

On Sun, Apr 14, 2013 at 01:49:14PM +0200, Jan-Frode Myklebust wrote: > On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: > An even better config would be if we could use the host's keytab to bind > to LDAP here.. Coming up as a default in sssd 1.10 (beta). __

Re: [Freeipa-users] Issues after setup

On Wed, Apr 10, 2013 at 02:49:46PM -0400, Shawn wrote: > Yep, sure does. Thanks much. > > If selinux is disabled, why does it care? > It's an SSSD bug: https://bugzilla.redhat.com/show_bug.cgi?id=914433 We didn't realize that SELinux disabled might mean that the directory is not there at all. L

Re: [Freeipa-users] Issues after setup

I take it there is no directory /etc/selinux/targeted/logins (or /etc/selinux/targeted/ for that matter?) Does mkdir -p /etc/selinux/targeted/logins solve things for you? > > > > On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek wrote: > > > On Wed, Apr 10, 2013 at 02:27:36PM -

Re: [Freeipa-users] Issues after setup

On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): > creating the temp file for SELinux data failed. > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) > [sssd[pam]] [pam_reply] (0x0100): blen: 30 I

Re: [Freeipa-users] Issues after setup

On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: > Shawn wrote: > >[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd > > > >Access granted: True > > > > Matched rules: allow_all > >[root@freeipa ~]# > > > > > >└─> ss

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Mon, Apr 08, 2013 at 12:40:53PM +0200, Jan-Frode Myklebust wrote: > On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote: > > > > I tried a similar case locally and everything worked for me. In the > > domain log I saw: > > > >

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: > > > > > > > > Does the problem go away if you set: > > > selinux_provider = none > > Sorry, no. Also the "No SELinux user maps found!" didn't go away. >

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Fri, Apr 05, 2013 at 02:42:33PM +0200, Jan-Frode Myklebust wrote: > On Fri, Apr 05, 2013 at 08:19:21AM -0400, Dmitri Pal wrote: > > > > SELinux seems to be OK but the log definitely showing that not all users > > are successfully stored in a group. > > Hmm.. I've noticed that in cn=$groupname,

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: > > > > > > > > Does the problem go away if you set: > > > selinux_provider = none > > Sorry, no. Also the "No SELinux user maps found!" didn't go away. >

Re: [Freeipa-users] Issues after setup

On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI I can see that all hosts are in the "hosts" list.. I have > created a single user as well and attached that user to the client. > > When trying to login as the user

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote: > On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote: > > > From: Dmitri Pal > > > >> I want also my AD users (from IPA trust) to login inside thru ssh > > but > > > >> afaik this seems to have some older SSSD version and same > > config

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

On Tue, Apr 02, 2013 at 08:43:18AM +0300, pekka.pan...@sofor.fi wrote: > Rob Crittenden wrote on 29.03.2013 01:09:49: > > > > > Anyhow, you can override the shell on the client using the > > > > override_shell directive of sssd.conf. Simply put it into the > domain > > > > section and restart

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

On Thu, Mar 28, 2013 at 01:14:34PM +0200, pekka.pan...@sofor.fi wrote: > Hi all again > > I have lots of CentOS 5.x servers and i tested one to install ipa-client > and managed to join it to my ipa domain. > > I want also my AD users (from IPA trust) to login inside thru ssh but > afaik this s

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

On Thu, Mar 28, 2013 at 09:56:32AM +0200, pekka.pan...@sofor.fi wrote: > Hi all > > I have changed default shell to /bin/bash, but it seems when i logon to > Linux server with my AD username it executes /bin/sh anyway. > When i login with IPA account, it executes /bin/bash. > > So my question

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Thu, Mar 21, 2013 at 09:57:50PM +0100, Jan-Frode Myklebust wrote: > On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote: > > > > I see several failures related to the SELinux processing: > > --- > > (Thu Mar 21 08:23:57

Re: [Freeipa-users] libsssd_sudo as dependency to ipa-client

On Thu, Mar 21, 2013 at 06:58:00PM +0100, Jakub Hrozek wrote: > On Thu, Mar 21, 2013 at 11:39:27PM +0600, Arthur Fayzullin wrote: > > HI! > > I have configured sssd_sudo integration on EL6.4 and it works nice! > > But then I've checked this: > > [afaizullin@

Re: [Freeipa-users] libsssd_sudo as dependency to ipa-client

On Thu, Mar 21, 2013 at 11:39:27PM +0600, Arthur Fayzullin wrote: > HI! > I have configured sssd_sudo integration on EL6.4 and it works nice! > But then I've checked this: > [afaizullin@domen00 ~]$ sudo package-cleanup --leaves > [sudo] password for afaizullin: > Loaded plugins: fastestmirror > lib

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Thu, Mar 21, 2013 at 11:43:55AM +0100, Jan-Frode Myklebust wrote: > On Wed, Mar 20, 2013 at 02:29:07PM +0100, Jakub Hrozek wrote: > > > > I think pasting or attaching SSSD logs would be a good start. Can you > > put debug_level = 6 into your sssd.conf into the [pam] and

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Wed, Mar 20, 2013 at 02:04:24PM +0100, Jan-Frode Myklebust wrote: > On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote: > > > > This really sounds like a bug. If you encounter a situation like this, > > where a group does not show all its members, feel free to op

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Tue, Mar 19, 2013 at 11:05:14PM +0100, Jan-Frode Myklebust wrote: > On Tue, Mar 19, 2013 at 10:01:16PM +0100, Jakub Hrozek wrote: > > Hello Jan, > > I'm sorry you're seeing performance problems. > > We have been struggeling with performance and crashes for a

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

On Tue, Mar 19, 2013 at 09:41:23PM +0100, Jan-Frode Myklebust wrote: Hello Jan, I'm sorry you're seeing performance problems. > We're struggeling with the performance of IPA, and have tried switching > to the ldap backend for sssd to be able to see what's happening. The > attached trace is from

Re: [Freeipa-users] meaning of several domains in sssd.conf

On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote: > On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote: > > > > Are there any issues you are seeing with IPA's sssd_be? It would > > definitely be better to fix those first rather than attemp

Re: [Freeipa-users] meaning of several domains in sssd.conf

On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote: > What does it mean to have several domains listed in sssd.conf ? Will > they all be queried on each login, or will only the first domain be > queried if the user/groups is found there? > If the user is found in the first domain

Re: [Freeipa-users] proper way to clear sssd cache without sss_cache?

On Tue, Feb 26, 2013 at 02:36:42PM -0500, Dmitri Pal wrote: > On 02/26/2013 02:29 PM, KodaK wrote: > > I know that at some point the sssd package (or maybe the tools > > package) started including sss_cache for managing the sssd cache. I > > have some RHEL5 boxes that don't have this utility. > >

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On 02/25/2013 10:58 AM, Jakub Hrozek wrote: > > On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: > >>>> What state i

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: > > > What state is your SELinux in? Permissive/Enforcing/Disabled ? > Another fail on my part. Works fine in permissive mode. > No, the SSSD should be working out of the box with SELinux Enforcing. > AVC denials listed below.. > >

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On 02/23/2013 10:36 PM, Rob Crittenden wrote: > > Dale Macartney wrote: > >> > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA1 > >> > >> Even folks > >> > >> I've verif

Re: [Freeipa-users] [Feature request] Adding support for sudo to ipa-client-install

On Thu, Feb 21, 2013 at 03:07:10PM +0100, Han Boetes wrote: > This is what you have to do to enable sudo support while using freeipa: I > got it all from > sssd-sudo(5). > > # yum install libsss_sudo > > Add this line to /etc/nsswitch.conf > > sudoers: files sss > > Edit /etc/sssd/sssd.conf

Re: [Freeipa-users] missing member in group

On Mon, Feb 18, 2013 at 12:16:33AM -0500, Dmitri Pal wrote: > On 02/17/2013 03:55 PM, Jan-Frode Myklebust wrote: > > On Sun, Feb 17, 2013 at 09:48:10PM +0100, Jan-Frode Myklebust wrote: > >>(Sun Feb 17 21:40:07 2013) [sssd[be[IPALDAP]]] [sdap_fill_memberships] > >> (7): member #2 (uid=emil

Re: [Freeipa-users] Unable to start replica server after setting up replication

On Wed, Jan 30, 2013 at 12:02:30PM -0500, free...@stormcloud9.net wrote: > > On 2013/30/01 11:59, Dmitri Pal wrote: > > On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote: > >> On 2013/30/01 09:37, Martin Kosek wrote: > >>> On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: > On 2013/3

[Freeipa-users] A security bug in SSSD (CVE-2013-0219)

A security bug in SSSD === = = Subject: TOCTOU race conditions when creating or removing home = directories for users in local domain = = CVE ID#: CVE-2013-0219 = = Summary: A TOCTOU (time-of-check, time-of-use) race

[Freeipa-users] A security bug in SSSD 1.8 and 1.9 (CVE-2013-0220)

= A security bug in SSSD 1.8 and 1.9 === = = Subject: out-of-bounds reads in autofs and ssh responder = = CVE ID#: CVE-2013-0220 = = Summary: Multiple out-of-bounds buffer read flaws were found in = the way the autofs and ssh

Re: [Freeipa-users] Error: Fedora 18 client to IPA Server 2.2.0?

On Tue, Jan 22, 2013 at 11:02:39AM -0500, Rob Crittenden wrote: > free...@noboost.org wrote: > >Hi, > > > >Has anyone had success with installing the IPA client on Fedora 18 (with > >SeLinux disabled)? > > > >Server: > >Red Hat Enterprise Linux Server release 6.3 (Santiago) > >* ipa-server-2.2.0-1

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

On Tue, Jan 08, 2013 at 11:49:11AM -0900, Erinn Looney-Triggs wrote: > On 01/08/13 11:44, Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: > >>> HI, > >>> > >>> I assume RHEL 6.4 is GA shortly just how straigh forward is the > >>> upgrade from

Re: [Freeipa-users] problems with netgroups cached values

On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote: > hi, > > On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek wrote: > > On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: > >> On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek wrote: > >> > On M

Re: [Freeipa-users] problems with netgroups cached values

On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: > On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek wrote: > > On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote: > >> hi, > >> > >> in sssd.conf I have this regarding netgroup caching info: &g

<    3   4   5   6   7   8   9   >